{"viewCount": 2, "id": "MAN-ARRESTED-SELLING-CLASSIFIED-DOCUMENTS-FBI-120710/74745", "hash": "a5454761ee070d4c48c6f50b8a573776d242c79097f23b4b7397816ee0effb25", "description": "[The \nWashington Post](<https://www.washingtonpost.com/wp-dyn/content/article/2010/12/06/AR2010120607109.html>) is reporting that Petty Officer Bryan Minkyu Martin was \narrested sometime last week on suspicion of stealing classified documents from \nmilitary networks and attempting to sell them to a foreign agent.\n\nMartin is a Navy specialist at the Joint Special Operations \nCommand. He has not yet been charged, but is under investigation for committing \nespionage after accepting money in exchange for passing classified documents along \nto an undercover FBI agent that he believed to be a foreign intelligence official. \n\n### Related Posts\n\n#### [WikiLeaks Back Online after Sustained DDoS Attack](<https://threatpost.com/wikileaks-back-online-after-sustained-ddos-attack-081312/76908/> \"Permalink to WikiLeaks Back Online after Sustained DDoS Attack\" )\n\nAugust 14, 2012 , 2:08 am\n\n#### [Wikileaks to Publish Almost 2.5 Million \u2018Syria Files\u2019](<https://threatpost.com/wikileaks-publish-almost-25-million-syria-files-070512/76772/> \"Permalink to Wikileaks to Publish Almost 2.5 Million \u2018Syria Files\u2019\" )\n\nJuly 5, 2012 , 8:25 pm\n\n#### [Assange\u2019s Asylum In The Balance, Researcher Warns Ecuador\u2019s Deliberations Are Vulnerable To Online Snooping](<https://threatpost.com/assanges-asylum-balance-researcher-warns-ecuadors-deliberations-are-vulnerable-online-snooping/76743/> \"Permalink to Assange\u2019s Asylum In The Balance, Researcher Warns Ecuador\u2019s Deliberations Are Vulnerable To Online Snooping\" )\n\nJune 27, 2012 , 5:59 pm\n\nAccording to the report in the Post, the first meeting took place at a hotel in North Carolina on \nNovember 15. Looking ahead, Martin promised he would be a valuable asset in providing secret \ninformation throughout his career, which he projected would last the next 15-20 \nyears. In the days that followed, Martin passed along more classified \ninformation, including documents marked Secret and Top Secret, and accepted some $3,500 in return.\n\nThe arrest comes in the midst of an ongoing scandal over the leak of classified State Department and Pentagon documents to the Website [Wikileaks](<https://threatpost.com/wikileaks-uncle-sam-was-warned-120310/>). U.S. government agencies are stepping up their efforts to secure classified \ninformation and hopefully avoid another Wikileaks-like scandal. In recent days, U.S. Senators John Ensign (R-Nev.) and Joe Lieberman (I-Conn) and Scott Brown (R-Mass) have introduced legislation that would make it illegal to publish the names of military or intelligence community informants,[ The Hill ](<http://thehill.com/blogs/hillicon-valley/technology/131885-senators-unveil-anti-wikileaks-legislation>)reports.", "href": "https://threatpost.com/man-arrested-selling-classified-documents-fbi-120710/74745/", "history": [], "edition": 1, "threatPostCategory": "Government", "cvelist": [], "references": ["https://www.washingtonpost.com/wp-dyn/content/article/2010/12/06/AR2010120607109.html", "https://threatpost.com/wikileaks-back-online-after-sustained-ddos-attack-081312/76908/", "http://thehill.com/blogs/hillicon-valley/technology/131885-senators-unveil-anti-wikileaks-legislation", "https://threatpost.com/wikileaks-uncle-sam-was-warned-120310/", "https://threatpost.com/assanges-asylum-balance-researcher-warns-ecuadors-deliberations-are-vulnerable-online-snooping/76743/", "https://threatpost.com/wikileaks-publish-almost-25-million-syria-files-070512/76772/"], "modified": "2013-04-17T20:09:51", "cvss": {"score": 0, "vector": "NONE"}, "bulletinFamily": "info", "title": "Man Arrested Selling Classified Documents to FBI", "objectVersion": "1.2", "reporter": "Brian Donohue", "lastseen": "2016-09-04T20:52:05", "type": "threatpost", "published": "2010-12-07T18:58:00", "enchantments": {"vulnersScore": 3.2}}

{"result": {"f5": [{"lastseen": "2017-08-18T03:08:37", "references": [], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.3.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.2.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "reporter": "f5", "published": "2017-08-18T01:09:00", "title": "Apache Tomcat vulnerabilities CVE-2017-7674 and CVE-2017-7675", "type": "f5", "enchantments": {}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2017-7675", "CVE-2017-7674"], "modified": "2017-08-18T01:09:00", "id": "F5:K92665308", "href": "https://support.f5.com/csp/article/K92665308", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-08-18T01:08:53", "references": [], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.3.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.2.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "reporter": "f5", "published": "2017-08-18T00:44:00", "title": "Linux kernel vulnerability CVE-2017-5972", "type": "f5", "enchantments": {}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2017-5972"], "modified": "2017-08-18T00:44:00", "id": "F5:K03685068", "href": "https://support.f5.com/csp/article/K03685068", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "carbonblack": [{"lastseen": "2017-08-17T16:10:38", "references": [], "description": "Good morning! Sit with Carbon Black this morning over a cup of coffee (or tea) and browse a few industry headlines to get the day started. We\u2019ve got just enough information below to get you through that first cup\u2026enjoy!\n\n**August 17, 2017 - Headlines**** \n**\n\n[Students offer hope for narrowing of skills gap in cyber-security](<https://www.scmagazineuk.com/students-offer-hope-for-narrowing-of-skills-gap-in-cyber-security/article/682418/>) - SC Media\n\n[What is an Enterprise-class Cybersecurity Vendor? ](<http://www.csoonline.com/article/3216497/security/what-is-an-enterprise-class-cybersecurity-vendor.html>)- CSO Online\n\n[Women in cybersecurity: IBM wants to send you to a hacker conference for free](<http://www.techrepublic.com/article/women-in-cybersecurity-ibm-wants-to-send-you-to-a-hacker-conference-for-free/>) - Tech Republic\n\n[Cybersecurity: Is the Air Gap Strategy Making a Comeback?](<https://www.automationworld.com/cybersecurity-air-gap-strategy-making-comeback>) - Automation World\n\n[How America Is Closing the Cybersecurity Skills Gap ](<http://knowledge.wharton.upenn.edu/article/america-plans-close-skills-gap-cybersecurity/>)- Wharton\n\n[Cybersecurity IT pros vs. policy wonks: How to bridge the communication gap](<http://www.techrepublic.com/article/cybersecurity-it-pros-vs-policy-wonks-how-to-bridge-their-communication-gap/>) - Tech Republic\n\n['Indefensible' hack could leave modern cars vulnerable to critical cybersecurity attack ](<http://www.techrepublic.com/article/indefensible-hack-could-leave-modern-cars-vulnerable-to-critical-cybersecurity-attack/>)- Tech Republic\n\n[70% of DevOps Pros Say They Didn't Get Proper Security Training in College](<https://www.darkreading.com/application-security/70--of-devops-pros-say-they-didnt-get-proper-security-training-in-college/d/d-id/1329654?>) - Dark Reading\n\n[Websites Selling DDoS Services and Tools on the Rise in China ](<https://www.darkreading.com/attacks-breaches/websites-selling-ddos-services-and-tools-on-the-rise-in-china/d/d-id/1329646?>)- Dark Reading\n\n[Skilled bad actors use new pulse wave DDoS attacks to hit multiple targets ](<http://www.csoonline.com/article/3216548/security/skilled-bad-actors-using-new-pulse-wave-ddos-attacks-to-pin-down-multiple-targets.html>)- CSO Online\n\n**Did You Know?**\n\nDavy Crockett, American frontiersman and politician was born on this day in 1786.\n\n**Quote of the Day**\n\n_\"Be always sure you are right - then go ahead.\" - Davy Crockett_\n\n**Today's Video of the Day**\n\n**Today's Trivia!**\n\nDavy Crockett died defending what (now famous) San Antonio building?\n\n**Yesterday's Question:** In what U.S. State was Elvis born?\n\n**Answer:** Mississippi\n\nBeat the Streak! Our current longest streak of correct answers comes from** Matt M., who have achieved correct answers for 32 days straight.** Can you beat the streak?\n\n**Current Streaks** \nMatt M. - 32 days \nTrent G. - 30 days \nKourken A. - 7 days \nThomas B. - 3 days \nHelen C. - 3 days \n@kimwh - 2 days \n@PJ_Livingston - 2 days\n\n**Hall-of-Fame Streaks** \n@kimwh - 197 days \nCait R. - 106 days \nKevin F. - 85 days\n\nTweet the correct answer to @CarbonBlack_Inc and get a shout out in tomorrow's Morning Coffee and your Twitter handle in a #FF tweet at the end of the week!\n\nThe post [August 17, 2017 - Morning Cyber Coffee Headlines - \"Davy Crockett\" Edition](<https://www.carbonblack.com/2017/08/17/august-17-2017-morning-cyber-coffee-headlines-davy-crockett-edition/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "reporter": "Ryan Murphy", "published": "2017-08-17T15:54:38", "type": "carbonblack", "title": "August 17, 2017 \u2013 Morning Cyber Coffee Headlines \u2013 \u201cDavy Crockett\u201d Edition", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-08-17T15:54:38", "id": "CARBONBLACK:4C1D2723517F3C4C312B26D373384B27", "href": "https://www.carbonblack.com/2017/08/17/august-17-2017-morning-cyber-coffee-headlines-davy-crockett-edition/", "cvss": {"score": 0.0, "vector": "NONE"}}], "akamaiblog": [{"lastseen": "2017-08-17T16:10:33", "references": [], "description": "_[Me]: To keep your players happy - you need to understand why they're not._\n\n_[You]: Uh, yeah obviously. Thanks. So what?_\n\nActually, I have a lot to say on the topic of keeping players happy. A few months back I wrote a quick post about [Friction](<https://blogs.akamai.com/2017/02/friction-hurts-especially-in-gaming.html>).\n\n**Friction**, as I defined it, is anything that prompts your player to leave your game and look elsewhere. And you know the scary stats (right?): 95 percent of players leave a game within its first 30 days.\n\nFear mongering aside; I think it is a topic so important that I actually wrote an entire book about it. Today I'd like to dive a bit more into what friction means and why it's worth your time to read more about it.\n\nI settled on the term Friction, and the grid below, to help you build a framework to think about how best to keep your players happy. A lot of your work already goes into creating cool, fun, delightful experiences, but I'd argue (and did for 120 pages) that the obstacles are just as critical as the delight. Everything that gets in the way of the cool and the fun will kill the player experience.\n\n**Seeking Understanding**\n\nUnderstanding Frictions means understanding the myriad points of contact with your players and mapping out problem areas well in advance. This starts with game design, and goes all the way through marketing and post launch. It helps to think about frictions in terms of consequences and outcomes. Given enough sources or intensities of friction, players will quit. And once they're gone, it can be very difficult to get them back. That abandonment can affect not only the specific game but the studio's reputation and future projects for years to come.\n\nTo make it easy I've laid out a straightforward way to conceptualize frictions in the grid below. This will help you to understand where they fall, how they intersect and interact, and what they mean to you. My book - Frictionless \\- will go even deeper into helping you prepare for and manage them as they arise during your development cycles and throughout community-building and engagement, from announcement to launch and beyond.\n\n[![To Keep Players Happy 1.png](https://blogs.akamai.com/assets_c/2017/08/To%20Keep%20Players%20Happy%201-thumb-500xauto-6290.png)](<https://blogs.akamai.com/assets_c/2017/08/To%20Keep%20Players%20Happy%201-6290.html>)\n\nThe grid is broken up into quadrants along two axes. \"Harmful\" and \"Beneficial\" along the X-axis, and \"Avoidable\" and \"Unavoidable\" along the Y-axis. Most frictions leech player satisfaction and disrupt immersion, although some can, as noted on the grid, be good for you. Your job is to recognize the different kinds of frictions, then manage and solve for them.\n\nSo what are some examples of frictions? Consider the following:\n\n * Cost\n\n * Payment Method\n\n * Game Difficulty\n\n * Customization\n\n * Hardware\n\n * Language\n\n * Time-to-play\n\n * Accessibility Issues\n\nOnce you really get into mapping out frictions, you'll find that many of them can end up in multiple places on the grid. Aha. There's the rub (that's a friction joke in case you missed it). You goal is to identify those that end up on the \"harmful\" side of the grid, and figure out how to flip them over to beneficial. Is this a really difficult game (a la Dark Souls)? Market it as such. You obviously have to get players to pay for your game. Make sure the price is right, or make sure it's folded naturally into a solid freemium design. Are your cutscenes unskippable? Fix that before launch, or patch ASAP post launch.\n\nLooking back at our list again - it's a bit of a hodge-podge. It would help to add further organization. In the book, I've broken down sources of Friction into three different source types:\n\n 1. Player Frictions\n\n 2. Game Frictions\n\n 3. Publisher Frictions\n\nIf we reorganize our list, we come up with:\n\n[![To Keep Players Happy 2.png](https://blogs.akamai.com/assets_c/2017/08/To%20Keep%20Players%20Happy%202-thumb-675x150-6293.png)](<https://blogs.akamai.com/assets_c/2017/08/To%20Keep%20Players%20Happy%202-6293.html>)\n\nI'm sure just by looking at this rough grid, you're already coming up with a host of missing items; and you're likely already categorizing them. Good! My job is... well, not quite done. But we're getting there. In fact, what we've done here at Akamai is put together an [interactive tool](<https://www.akamai.com/us/en/infographics/reducing-the-friction-infographic.jsp>) for you to use to do some of this mapping yourself. I suggest that your next step is to check it out.\n\nAlso, for a good deal more detail on Friction and on how to make it easy for players to find, play, and fall in love with your game; check out my book: [Frictionless](<https://www.akamai.com/us/en/multimedia/documents/brochure/frictionless-build-better-video-games-attract-retain-players-grow-revenue.pdf>).\n\n![](http://feeds.feedburner.com/~r/TheAkamaiBlog/~4/2GFEUlM9GPY)", "reporter": "Nelson Rodriguez", "published": "2017-08-17T14:35:12", "type": "akamaiblog", "title": "To Keep Players Happy, First Seek Understanding", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-08-17T14:36:06", "id": "AKAMAIBLOG:50754357EEE74227F6571B3FA888D798", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/2GFEUlM9GPY/to-keep-players-happy-first-seek-understanding.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "schneier": [{"lastseen": "2017-08-17T12:15:21", "references": [], "description": "The US Supreme Court is deciding a case that will establish whether the police need a warrant to access cell phone location data. This week I signed on to an [amicus brief](<https://assets.documentcloud.org/documents/3932663/Carpenter-Amicus-Brief-Technology-Experts.pdf>) from a wide array of security technologists outlining the technical arguments as why the answer should be yes. Susan Landau [summarized](<https://www.lawfareblog.com/phones-move-%E2%80%93%C2%A0and-so-should-law>) our arguments.\n\nA bunch of tech companies [also submitted](<https://www.reuters.com/article/us-usa-court-mobilephone-idUSKCN1AV1B3>) a brief.", "reporter": "Bruce Schneier", "published": "2017-08-17T11:12:55", "type": "schneier", "title": "Do the Police Need a Search Warrant to Access Cell Phone Location Data?", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-08-17T11:12:55", "id": "SCHNEIER:D208AD4929D1D7451A546B490ADEC729", "href": "https://www.schneier.com/blog/archives/2017/08/do_the_police_n.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackread": [{"lastseen": "2017-08-16T16:09:04", "references": [], "description": "<p>By <a rel=\"nofollow\" href=\"https://www.hackread.com/author/uzair/\">Uzair Amir</a></p>\n<p>The IT security researchers at CheckPoint\u00a0cyber security firm headquartered in</p>\n<p>This is a post from HackRead.com Read the original post: <a rel=\"nofollow\" href=\"https://www.hackread.com/nigeria-man-hacked-global-oil-gas-and-energy-firms/\">Nigerian Man Hacked Thousands of Global Oil &#038; Gas and Energy Firms</a></p>", "reporter": "Uzair Amir", "published": "2017-08-16T13:51:11", "type": "hackread", "title": "Nigerian Man Hacked Thousands of Global Oil & Gas and Energy Firms", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-08-16T13:51:11", "id": "HACKREAD:0D4906C3E18360D6EAE4BCD38AED506E", "href": "https://www.hackread.com/nigeria-man-hacked-global-oil-gas-and-energy-firms/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-08-14T23:32:50", "references": [], "description": "<p>By <a rel=\"nofollow\" href=\"https://www.hackread.com/author/carolina/\">Carolina</a></p>\n<p>Law enforcement authorities in India have arrested four people for</p>\n<p>This is a post from HackRead.com Read the original post: <a rel=\"nofollow\" href=\"https://www.hackread.com/india-arrest-4-for-leaking-game-of-thrones-episode/\">India arrest 4 for leaking &#8216;Game Of Thrones&#8217; Episode 4 of Season 7</a></p>", "reporter": "Carolina", "published": "2017-08-14T21:19:01", "type": "hackread", "title": "India arrest 4 for leaking \u2018Game Of Thrones\u2019 Episode 4 of Season 7", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-08-14T21:19:01", "id": "HACKREAD:60CD4F314009B241CC43F3F1734F042C", "href": "https://www.hackread.com/india-arrest-4-for-leaking-game-of-thrones-episode/", "cvss": {"score": 0.0, "vector": "NONE"}}], "trendmicroblog": [{"lastseen": "2017-08-16T14:09:19", "references": [], "description": "![How should CIOs approach cyber security in the new year?](http://blog.trendmicro.com/wp-content/uploads/2016/01/How-should-CIOs-approach-cyber-security-in-the-new-year_459_40107513_0_14090567_300.jpg)\n\nWhodunnit? The superior detective dazzles us with brilliance, skill, and patience to unmask the bad guy. The interplay of forensic science and psychological insight have fascinated us from Sherlock Holmes to the CSI television series. Sometimes the answer is completely surprising, as in Murder on the Orient Express. Other times, the mystery is known to us all, and promptly dismissed: \u201cThe Major has been shot. Round up the usual suspects.\u201d\n\nEarlier this week the iSMG Fraud and Breach Prevention Summit in New York City featured a fascinating conversation on the value of attribution, led by Gartner\u2019s Avivah Litan. The panel was called: \u201cMoving from Indicators of Compromise to Indicators of Attack: But Will Attacker Attribution Really Help Us?\u201d The panelists were Jackie Castelli from CrowdStrike, Noam Jolles from Diskin Advanced Technologies, and Richard T. Jacobs from the FBI New York Division. This note offers my observations on that conversation.\n\nIn the cybersecurity domain, what is the value of attribution? There are four possible reasons for identifying the individual or team that caused an information security breach.\n\n| \n\n * For forensic evidence supporting an arrest\n * For a government to determine if there was a _casus belli_\n * For a potential target to learn details of an upcoming attack \u2013 or an attack in progress\n * For retaliation (A VERY, VERY BAD IDEA) \n---|--- \n| \n \nPreserving evidence should be a part of any organization\u2019s [cyber incident response plan.](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/are-incident-response-teams-really-necessary->) Not having a plan can lead to very difficult choices. One firm had to choose between preserving the evidence or re-establishing online operations. They decided to restore their systems to a state before the attack occurred and get back on line. This choice has a few problems. First, by restoring the system to its state before the attack, the system recreated same vulnerabilities that were used against it successfully. The attacker could cause the same problem again with little difficulty. Second, the attacker did not have to cover their tracks: the victim did. The attacker could use the same attack against another victim, with no prior information available to establish a pattern.\n\nLaw enforcement ultimately must determine the actual source of an attack. By working with law enforcement, firms can help them develop and evaluate evidence. As a colleague wrote,\n\n\u201cOne of the main reasons we don\u2019t attribute publically is that it is so easy to get it wrong. The only people who realistically can say for sure that a criminal attack occurred is Law Enforcement \u2013 and even then only after a reviewing all evidence, supplied by industry and gathered themselves, including those from seized suspect machines. For state level attribution, only a military or intelligence agency who through their own counter-intelligence operations have a deep understand of the person on the other side. Otherwise, it is very easy to drop false flags \u2013 clues that point to another attack group. Imagine the scenario of an intelligence unit from country X hitting a gas company in the Middle East. Adding in some Russian strings and, given Russia\u2019s natural interest in gas as a resource, they will for sure get the blame. Consider a criminal group hacking a bank: Drop one copy of a Lazarus malware on the machine, and North Korea will be accused. Even if you think it is a group from country X, is it a state-group, state-sponsored, contractor, state-condoned, dissident, patriot, criminal, etc.?\u201d\n\nGovernments need to know who attacked their interests to frame a proportionate response. Knowing the actual source lets governments act confidently against the actual enemy, rather than launch a misguided action. Further, in some cases, while the attack may have originated from a government-sponsored organization, the individual perpetrating the attack may not have been acting with governmental authorization. A rogue individual may exploit the capabilities provided him or her without direct orders to do so.\n\nPotential targets can well benefit from understanding the sequence of events culminating in a cyber-incident against them. In this case, attribution means understanding the attack well enough to anticipate and interrupt it before actual harm occurs. By identifying the specific attack, the target can take defensive measures to avoid harmful consequences. The US CERT and the ISACs provide alerts about attacks with sufficient information for this purpose.\n\nRevenge is never a good idea. Individuals and corporations may have a fair level of certainty about the source of an attack. Beware though! A vengeful act could disrupt an ongoing criminal investigation. The vengeful actor itself could face a criminal investigation: all hacking is illegal, regardless of which side is doing it, or started it. Cyber criminals, hactivists, and foreign intelligence services have significant skills. They can plant misleading clues pointing to another party. While it may be embarrassing to suffer a breach, it would be substantially more consequential to disrupt some innocent third party in an erroneous and misguided response to punish the suspected perpetrator.\n\nMoreover, sometimes an attack is not actually an attack. Consider the recent OnionDog incident: <http://blog.trendmicro.com/trendlabs-security-intelligence/oniondog-not-targeted-attack-cyber-drill/>\n\nAt Trend Micro we do not attribute attacks to nations. We share evidence with national law enforcement agencies to assist in their pursuit of a wrongdoer. See these blog posts on [fighting cybercrime](<https://www.trendmicro.com/en_us/about/global-citizenship/fighting-cybercrime.html>), collaboration with [law enforcement](<http://blog.trendmicro.com/trend-micro-collaboration-law-enforcement-makes-world-safer-exchanging-digital-information/>), and working with [Interpol](<http://blog.trendmicro.com/trendlabs-security-intelligence/law-enforcement-cooperation-and-trend-micro/>), and this [statement](<https://www.youtube.com/watch?v=qGtC8VIvmEU>) by our late CTO, Raimund Genes, from our YouTube Channel. We strongly discourage any (potentially criminal) acts of retribution or _lex talionis_. We work diligently to reveal attack patterns to assist our clients and the larger world to recognize, prepare for, and thwart hostile and disruptive acts.\n\nWho did it? If they didn\u2019t do much, it doesn\u2019t much matter.\n\nWhat are your thoughts on this? Post a comment below, or tweet me [@WilliamMalikTM.](<https://twitter.com/WilliamMalikTM>)", "reporter": "William \"Bill\" Malik", "published": "2017-08-16T12:00:04", "type": "trendmicroblog", "title": "What are the Benefits of Attribution?", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-08-16T12:00:04", "id": "TRENDMICROBLOG:AD072C522127A8D90C43B8A8F2444403", "href": "http://blog.trendmicro.com/what-are-the-benefits-of-attribution/", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2017-08-16T16:07:08", "references": [], "description": "[![money-laundering-silkroad-bitcoin](https://3.bp.blogspot.com/-YibI7X06F6w/WZQ9bSrMAmI/AAAAAAAAuG8/l4fQmhCr9bM5QiUFPsoEkS6JvsXmg1XdwCLcBGAs/s1600/money-laundering-silkroad-bitcoin.png)](<https://3.bp.blogspot.com/-YibI7X06F6w/WZQ9bSrMAmI/AAAAAAAAuG8/l4fQmhCr9bM5QiUFPsoEkS6JvsXmg1XdwCLcBGAs/s1600/money-laundering-silkroad-bitcoin.png>)\n\nA former the United States Secret Service agent who [stole hundreds of thousands of dollars](<http://thehackernews.com/2015/03/silk-road-fedral-agents-charged.html>) worth of Bitcoins during an investigation into then-largest underground marketplace Silk Road has now pleaded guilty to money laundering. \n \n[**Shaun W. Bridges**](<http://thehackernews.com/2016/07/bitcoin-silk-road.html>) is one of two former US undercover agents who [pleaded](<https://www.justice.gov/usao-ndca/pr/former-secret-service-agent-pleads-guilty-money-laundering>) guilty in 2015 to one count of money laundering and one count of obstruction and was sentenced in December same year to almost six years in prison for stealing over $800,000 in Bitcoin while investigating Silk Road. \n \n35-years-old Bridges, who had been a Special Agent with the U.S. Secret Service for almost 6 years, along with his partner stole money from Silk Road accounts and framed someone else for the laundering, which even led the Silk Road founder [Ross Ulbricht](<http://thehackernews.com/2015/02/silk-road-founder-ross-ulbricht_4.html>) to plan a murder. \n \nUlbricht was convicted in February 2015 of running the Silk Road underground black market and is now serving [life in prison sentence](<http://thehackernews.com/2015/05/silk-road-ross-ulbricht.html>). \n \nAccording to the Department of Justice, Bridges is believed to have stolen additional funds from a digital wallet belonging the Secret Service on two different occasions months after he was initially charged. \n \nThe missing Bitcoins were found by the Secret Service agency in December when Bridges was sentenced after admitting that he moved and stole approximately 1,600 Bitcoin (at the time valued nearly $359,005 and almost $6.6 million today). \n \nAccording to his guilty plea in this case, Bridges said it used a private key to access a digital wallet belonging to the Secret Service account, and subsequently transferred the bitcoins to _\"other digital wallets at other Bitcoin exchanges to which only he had access.\"_ \n\n\n> \"In the course of the investigation, U.S. agents were able to locate and seize approximately 600 of the stolen bitcoin and, as part of his plea, Bridges agreed to turn over the remaining stolen Bitcoin,\" the DoJ said in the statement.\n\nSilk Road was shut down in 2013 after the arrest of Ulbricht. The FBI seized bitcoins (worth about $33.6 million, at the time) from the site, which were later sold in a series of auctions by the United States Marshals Service (USMS). \n \nBefore the shutdown, [Silk Road](<http://thehackernews.com/2014/04/silk-road-dealer-plead-guilty-for_25.html>) was one of the most extensive, sophisticated, and widely-used illegal marketplaces on the internet. \n \nThe other Bridges' partner is a 47-year-old former Drug Enforcement Agency (DEA) special agent Carl Mark Force, who is also facing criminal charges. \n \nOn Tuesday, Bridges pleaded guilty to one count of money laundering before the United States District Court Judge of the Northern District of California. He will be sentenced on November 7, 2017.\n", "edition": 1, "reporter": "Swati Khandelwal", "published": "2017-08-16T01:45:00", "title": "Corrupt Federal Agent, Who Stole Bitcoins From Silk Road, Pleads Guilty To Money Laundering", "type": "thn", "enchantments": {}, "bulletinFamily": "info", "cvelist": [], "modified": "2017-08-16T12:45:21", "id": "THN:CADEF823A7C2C10C59092BE4221AC4DD", "href": "http://thehackernews.com/2017/08/money-laundering-silkroad-agent.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-08-16T16:07:08", "references": [], "description": "[![chrome-extention-hacking](https://2.bp.blogspot.com/-RWZ2XIA06sY/WZQ4hOTwylI/AAAAAAAAuGs/3mZmHZT2laUxzsEGnneXLw_9k5mviUubQCLcBGAs/s1600/chrome-extention-hacking.png)](<https://2.bp.blogspot.com/-RWZ2XIA06sY/WZQ4hOTwylI/AAAAAAAAuGs/3mZmHZT2laUxzsEGnneXLw_9k5mviUubQCLcBGAs/s1600/chrome-extention-hacking.png>)\n\nGoogle's Chrome web browser Extensions are under attack with a series of developers being hacked within last one month. \n \nAlmost two weeks ago, we reported how unknown attackers managed to compromise the Chrome Web Store account of a developer team and [hijacked Copyfish extension](<http://thehackernews.com/2017/07/chrome-extention-hacking-adware.html>), and then modified it to distribute spam correspondence to users. \n \nJust two days after that incident, some unknown attackers then [hijacked another popular extension](<http://thehackernews.com/2017/08/chrome-extension-for-web-developers.html>) '**Web Developer**' and then updated it to directly inject advertisements into the web browser of over its 1 million users. \n \nAfter Chris Pederick, the creator of 'Web Developer' Chrome extension that offers various web development tools to its users, reported to Proofpoint that his extension had been compromised, the security vendor analysed the issue and found further add-ons in the Chrome Store that had also been altered. \n \nAccording to the latest report [published](<https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree>) by the researchers at Proofpoint on Monday, the expanded list of compromised Chrome Extensions are as below: \n \n\n\n * Chrometana (1.1.3)\n * Infinity New Tab (3.12.3)\n * CopyFish (2.8.5)\n * Web Paint (1.2.1)\n * Social Fixer (20.1.1)\n \nProofpoint researcher Kafeine also believes Chrome extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June. \n \nIn all the above cases, some unknown attackers first gained access to the developers' Google web accounts by sending out phishing emails with malicious links to steal account credentials. \n \nOnce the attackers gained access to the accounts, either they hijacked their respective extensions and then modified them to perform malicious tasks, or they add malicious Javascript code to them in an attempt to hijack traffic and expose users to fake ads and password theft in order to generate revenue. \n \nIn the case of the [Copyfish extension](<http://thehackernews.com/2017/07/chrome-extention-hacking-adware.html>), the attackers even moved the whole extension to one of its developers' accounts, preventing the software company from removing the infected extension from the Chrome store, even after being spotted compromised behaviour of the extension. \n\n\n> \"Threat actors continue to look for new ways to drive traffic to affiliate programs and effectively surface malicious advertisements to users,\" researchers concluded. \"In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims' browsers.\" \n\n> \"Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions.\"\n\nAt this time, it is unclear who is behind the hijackings of Chrome Web extensions. \n \nThe best way to protect yourself from such attacks is always to be suspicious of uninvited documents sent over a phishing email and never click on links inside those documents unless verifying the source.\n", "edition": 1, "reporter": "Swati Khandelwal", "published": "2017-08-16T01:22:00", "title": "8 More Chrome Extensions Hijacked to Target 4.8 Million Users", "type": "thn", "enchantments": {}, "bulletinFamily": "info", "cvelist": [], "modified": "2017-08-16T12:22:04", "id": "THN:138877955BAD800A1A9EB2D499D90B41", "href": "http://thehackernews.com/2017/08/chrome-extension-hacking.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-08-15T14:38:32", "references": [], "description": "[![Ransomwares](https://1.bp.blogspot.com/-98dzknjY5uk/WZLXJA6CC_I/AAAAAAAAuF0/GAKBqd2_s2Q0bBfD81MIQ_PPJ_nekH2twCLcBGAs/s1600/ransomware-attack.png)](<https://1.bp.blogspot.com/-98dzknjY5uk/WZLXJA6CC_I/AAAAAAAAuF0/GAKBqd2_s2Q0bBfD81MIQ_PPJ_nekH2twCLcBGAs/s1600/ransomware-attack.png>)\n\nRansomware has been around for a few years but has become an albatross around everyone's neck\u2014from big businesses and financial institutions to hospitals and individuals worldwide\u2014with cyber criminals making millions of dollars. \n \nIn just past few months, we saw a scary strain of ransomware attacks including [WannaCry](<http://thehackernews.com/2017/06/honda-wannacry-attack.html>), [Petya](<http://thehackernews.com/2017/06/petya-ransomware-attack.html>) and [LeakerLocker](<http://thehackernews.com/2017/07/leakerlocker-android-ransomware.html>), which made chaos worldwide by shutting down hospitals, vehicle manufacturing, telecommunications, banks and many businesses. \n \nBefore [WannaCry](<http://thehackernews.com/2017/08/wannacry-ransomware-bitcoin.html>) and [Petya](<http://thehackernews.com/2017/08/ukraine-petya-ransomware-hacker.html>), the infamous Mamba full-disk-encrypting ransomware and the Locky ransomware had made chaos across the world last year, and the bad news is\u2014they are back with their new and more damaging variants than ever before. \n \n\n\n### Diablo6: New Variant of Locky Ransomware\n\n[![locky-ransomware-decrypt-files](https://4.bp.blogspot.com/-ui5Icm8_H90/WZLPhbbrX9I/AAAAAAAAuFY/rqAybybuRNMeaV7MQjln_xzD7vNqR5_zACLcBGAs/s1600/locky-ransomware-decrypt-files.png)](<https://4.bp.blogspot.com/-ui5Icm8_H90/WZLPhbbrX9I/AAAAAAAAuFY/rqAybybuRNMeaV7MQjln_xzD7vNqR5_zACLcBGAs/s1600/locky-ransomware-decrypt-files.png>)\n\nFirst surfaced in early 2016, [Locky](<http://thehackernews.com/2016/02/locky-ransomware-decrypt.html>) has been one of the largest distributed ransomware infections, infecting organisations across the globe. \n \nBy tricking victims into clicking on a malicious attachment, [Locky ransomware](<http://thehackernews.com/2016/11/facebook-locky-ransomware.html>) encrypts nearly all file formats on a victim's computer and network and unlocks them until the ransom in Bitcoins is paid to attackers. \n \nThe ransomware has made many comebacks with its variants being distributed through Necurs botnet and Dridex botnet. \n \nThis time security researchers have [discovered](<https://twitter.com/msftmmpc/status/895451370270183424?s=07>) a fresh spam malware campaign distributing a new variant of Locky known as Diablo6 and targeting computers around the world, with the United States being the most targeted country, followed by Austria. \n \nAn independent security researcher using online alias Racco42 first [spotted](<https://twitter.com/Racco42/status/895236812817432576>) the new Locky variant that encrypts files on infected computers and appends the .diablo6 file extension. \n \nLike usually, the ransomware variant comes in an email containing a Microsoft Word file as an attachment, which when opened, a VBS Downloader script is executed that then attempts to download the Locky Diablo6 payload from a remote file server. \n \nThe ransomware then encrypts the files using RSA-2048 key (AES CBC 256-bit encryption algorithm) on the infected computer before displaying a message that instructs victims to download and install Tor browser; and visit the attacker's site for further instructions and payments. \n \nThis Locky Diablo6 variant demands a sum of 0.49 Bitcoin (over $2,079) from victims to get their files back. \n \nUnfortunately, at this time it is impossible to recover the files encrypted by the .Diablo6 extension, so users need to exercise caution while opening email attachments. \n \n\n\n### Return of Disk-Encrypting Mamba Ransomware\n\n[![mamba-ransomware-malware](https://2.bp.blogspot.com/-BuTDSKgtRLQ/WZLOZaEbmTI/AAAAAAAAuFM/6iJgIV4HPtYhcVB7ZAxOcqiJJvsDKHsPgCLcBGAs/s1600/mamba-ransomware-malware.png)](<https://2.bp.blogspot.com/-BuTDSKgtRLQ/WZLOZaEbmTI/AAAAAAAAuFM/6iJgIV4HPtYhcVB7ZAxOcqiJJvsDKHsPgCLcBGAs/s1600/mamba-ransomware-malware.png>)\n\n[Mamba](<http://thehackernews.com/2016/11/transit-system-hacked.html>) is another powerful and dangerous kind of ransomware infection that encrypts the entire hard disk on an affected computer instead of just files, leaving the system totally unusable unless a ransom is paid. \n \nSimilar tactics have also been employed by other ransomware attacks, including [Petya](<http://thehackernews.com/2017/06/petya-ransomware-wiper-malware.html>) and [WannaCry](<http://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>), but the Mamba ransomware has been designed for destruction in corporates and other large organisations, rather than extorting Bitcoins. \n \nLate last year, Mamba infected the San Francisco's Municipal Transportation Agency (MUNI) system's network over the Thanksgiving weekend, causing [major train delays](<http://thehackernews.com/2016/11/transit-system-hacked.html>) and forcing officials to shut down ticket machines and fare gates at some stations. \n \nNow, security researchers at Kaspersky Lab have [spotted](<https://securelist.com/the-return-of-mamba-ransomware/79403/>) a new campaign distributing Mamba infections, targeting corporate networks in countries, majorly in Brazil and Saudi Arabia. \n \nMamba is utilising a legitimate open source Windows disk encryption utility, called DiskCryptor, to fully lock up hard drives of computers in targeted organisations. So, there is no way to decrypt data as the encryption algorithms used by DiskCryptor are very strong. \n\n\n[![mamba-ransomware](https://4.bp.blogspot.com/-V-fLfuO_TEM/WZLP6wzgjaI/AAAAAAAAuFc/ssYfvhlCdZYYFcG5zTMctNT_0IUpsQuWACLcBGAs/s1600/mamba-ransomware.png)](<https://4.bp.blogspot.com/-V-fLfuO_TEM/WZLP6wzgjaI/AAAAAAAAuFc/ssYfvhlCdZYYFcG5zTMctNT_0IUpsQuWACLcBGAs/s1600/mamba-ransomware.png>)\n\n \nAlthough it's not clear how the ransomware initially finds its way into a corporate network, researchers believe like most ransomware variants, Mamba might be using either an exploit kit on compromised or malicious sites or malicious attachments sent via an email. \n \nThe ransom note does not immediately demand money, rather the message displayed on the infected screen only claims that the victim's hard drive has been encrypted and offers two email addresses and a unique ID number to recover the key. \n \n\n\n### Here's How to Protect Yourself From Ransomware Attacks\n\n \nRansomware has become one of the largest threats to both individuals and enterprises with the last few months happening several widespread ransomware outbreaks. \n \nCurrently, there is no decryptor available to decrypt data locked by Mamba and Locky as well, so users are strongly advised to follow prevention measures in order to protect themselves. \n \n**Beware of Phishing emails:** Always be suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source. \n \n**Backup Regularly:** To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC. \n \n**Keep your Antivirus software and system Up-to-date: **Always keep your antivirus software and systems updated to protect against latest threats.\n", "edition": 1, "reporter": "Swati Khandelwal", "published": "2017-08-15T00:14:00", "title": "Warning: Two Dangerous Ransomware Are Back \u2013 Protect Your Computers", "type": "thn", "enchantments": {}, "bulletinFamily": "info", "cvelist": [], "modified": "2017-08-15T11:14:23", "id": "THN:7E274B953DE61A0B33283746575DB667", "href": "http://thehackernews.com/2017/08/locky-mamba-ransomware.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2017-08-18T01:19:40", "references": ["https://alas.aws.amazon.com/ALAS-2017-869.html"], "pluginID": "102502", "description": "It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-10102)\n\nMultiple flaws were discovered in the RMI, JAXP, ImageIO, Libraries, AWT, Hotspot, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-10107 , CVE-2017-10096 , CVE-2017-10101 , CVE-2017-10089 , CVE-2017-10090 , CVE-2017-10087 , CVE-2017-10110 , CVE-2017-10074 , CVE-2017-10067)\n\nIt was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP servers. (CVE-2017-10116)\n\nIt was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak information. (CVE-2017-10243)\n\nA covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2017-10115)\n\nA covert timing channel flaw was found in the PKCS#8 implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application repeatedly compare PKCS#8 key against an attacker controlled value could possibly use this flaw to determine the key via a timing side channel. (CVE-2017-10135)\n\nIt was discovered that the BasicAttribute and CodeSource classes in OpenJDK did not limit the amount of memory allocated when creating object instances from a serialized form. A specially crafted serialized input stream could cause Java to consume an excessive amount of memory. (CVE-2017-10108 , CVE-2017-10109)\n\nA flaw was found in the Hotspot component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2017-10081)\n\nIt was discovered that the JPEGImageReader implementation in the 2D component of OpenJDK would, in certain cases, read all image data even if it was not used later. A specially crafted image could cause a Java application to temporarily use an excessive amount of CPU and memory.\n(CVE-2017-10053)", "edition": 2, "reporter": "Tenable", "published": "2017-08-16T00:00:00", "title": "Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2017-869)", "type": "nessus", "enchantments": {}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-10087", "CVE-2017-10107", "CVE-2017-10243", "CVE-2017-10135", "CVE-2017-10101", "CVE-2017-10108", "CVE-2017-10090", "CVE-2017-10096", "CVE-2017-10110", "CVE-2017-10115", "CVE-2017-10116", "CVE-2017-10067", "CVE-2017-10074", "CVE-2017-10053", "CVE-2017-10081", "CVE-2017-10089", "CVE-2017-10109", "CVE-2017-10102"], "modified": "2017-08-17T00:00:00", "id": "ALA_ALAS-2017-869.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=102502", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-869.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102502);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2017/08/17 15:31:19 $\");\n\n script_cve_id(\"CVE-2017-10053\", \"CVE-2017-10067\", \"CVE-2017-10074\", \"CVE-2017-10081\", \"CVE-2017-10087\", \"CVE-2017-10089\", \"CVE-2017-10090\", \"CVE-2017-10096\", \"CVE-2017-10101\", \"CVE-2017-10102\", \"CVE-2017-10107\", \"CVE-2017-10108\", \"CVE-2017-10109\", \"CVE-2017-10110\", \"CVE-2017-10115\", \"CVE-2017-10116\", \"CVE-2017-10135\", \"CVE-2017-10243\");\n script_xref(name:\"ALAS\", value:\"2017-869\");\n script_xref(name:\"IAVA\", value:\"2017-A-0226\");\n\n script_name(english:\"Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2017-869)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the DCG implementation in the RMI component of\nOpenJDK failed to correctly handle references. A remote attacker could\npossibly use this flaw to execute arbitrary code with the privileges\nof RMI registry or a Java RMI application. (CVE-2017-10102)\n\nMultiple flaws were discovered in the RMI, JAXP, ImageIO, Libraries,\nAWT, Hotspot, and Security components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2017-10107 , CVE-2017-10096 ,\nCVE-2017-10101 , CVE-2017-10089 , CVE-2017-10090 , CVE-2017-10087 ,\nCVE-2017-10110 , CVE-2017-10074 , CVE-2017-10067)\n\nIt was discovered that the LDAPCertStore class in the Security\ncomponent of OpenJDK followed LDAP referrals to arbitrary URLs. A\nspecially crafted LDAP referral URL could cause LDAPCertStore to\ncommunicate with non-LDAP servers. (CVE-2017-10116)\n\nIt was discovered that the wsdlimport tool in the JAX-WS component of\nOpenJDK did not use secure XML parser settings when parsing WSDL XML\ndocuments. A specially crafted WSDL document could cause wsdlimport to\nuse an excessive amount of CPU and memory, open connections to other\nhosts, or leak information. (CVE-2017-10243)\n\nA covert timing channel flaw was found in the DSA implementation in\nthe JCE component of OpenJDK. A remote attacker able to make a Java\napplication generate DSA signatures on demand could possibly use this\nflaw to extract certain information about the used key via a timing\nside channel. (CVE-2017-10115)\n\nA covert timing channel flaw was found in the PKCS#8 implementation in\nthe JCE component of OpenJDK. A remote attacker able to make a Java\napplication repeatedly compare PKCS#8 key against an attacker\ncontrolled value could possibly use this flaw to determine the key via\na timing side channel. (CVE-2017-10135)\n\nIt was discovered that the BasicAttribute and CodeSource classes in\nOpenJDK did not limit the amount of memory allocated when creating\nobject instances from a serialized form. A specially crafted\nserialized input stream could cause Java to consume an excessive\namount of memory. (CVE-2017-10108 , CVE-2017-10109)\n\nA flaw was found in the Hotspot component in OpenJDK. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions. (CVE-2017-10081)\n\nIt was discovered that the JPEGImageReader implementation in the 2D\ncomponent of OpenJDK would, in certain cases, read all image data even\nif it was not used later. A specially crafted image could cause a Java\napplication to temporarily use an excessive amount of CPU and memory.\n(CVE-2017-10053)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-869.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update java-1.7.0-openjdk' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/16\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/AmazonLinux/release\")) audit(AUDIT_OS_NOT, \"Amazon Linux AMI\");\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-1.7.0.151-2.6.11.0.74.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.151-2.6.11.0.74.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-demo-1.7.0.151-2.6.11.0.74.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-devel-1.7.0.151-2.6.11.0.74.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.151-2.6.11.0.74.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-src-1.7.0.151-2.6.11.0.74.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-08-18T01:24:33", "references": ["http://www.nessus.org/u?c20bfd53"], "pluginID": "102503", "description": "An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-10102)\n\n* Multiple flaws were discovered in the RMI, JAXP, ImageIO, Libraries, AWT, Hotspot, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-10107, CVE-2017-10096, CVE-2017-10101, CVE-2017-10089, CVE-2017-10090, CVE-2017-10087, CVE-2017-10110, CVE-2017-10074, CVE-2017-10067)\n\n* It was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP servers. (CVE-2017-10116)\n\n* It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak information. (CVE-2017-10243)\n\n* A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2017-10115)\n\n* A covert timing channel flaw was found in the PKCS#8 implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application repeatedly compare PKCS#8 key against an attacker controlled value could possibly use this flaw to determine the key via a timing side channel. (CVE-2017-10135)\n\n* It was discovered that the BasicAttribute and CodeSource classes in OpenJDK did not limit the amount of memory allocated when creating object instances from a serialized form. A specially crafted serialized input stream could cause Java to consume an excessive amount of memory. (CVE-2017-10108, CVE-2017-10109)\n\n* A flaw was found in the Hotspot component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2017-10081)\n\n* It was discovered that the JPEGImageReader implementation in the 2D component of OpenJDK would, in certain cases, read all image data even if it was not used later. A specially crafted image could cause a Java application to temporarily use an excessive amount of CPU and memory.\n(CVE-2017-10053)", "edition": 2, "reporter": "Tenable", "published": "2017-08-16T00:00:00", "title": "CentOS 6 : java-1.7.0-openjdk (CESA-2017:2424)", "type": "nessus", "enchantments": {}, "naslFamily": "CentOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-10087", "CVE-2017-10107", "CVE-2017-10243", "CVE-2017-10135", "CVE-2017-10101", "CVE-2017-10108", "CVE-2017-10090", "CVE-2017-10096", "CVE-2017-10110", "CVE-2017-10115", "CVE-2017-10116", "CVE-2017-10067", "CVE-2017-10074", "CVE-2017-10053", "CVE-2017-10081", "CVE-2017-10089", "CVE-2017-10109", "CVE-2017-10102"], "modified": "2017-08-17T00:00:00", "id": "CENTOS_RHSA-2017-2424.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=102503", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:2424 and \n# CentOS Errata and Security Advisory 2017:2424 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102503);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2017/08/17 15:31:19 $\");\n\n script_cve_id(\"CVE-2017-10053\", \"CVE-2017-10067\", \"CVE-2017-10074\", \"CVE-2017-10081\", \"CVE-2017-10087\", \"CVE-2017-10089\", \"CVE-2017-10090\", \"CVE-2017-10096\", \"CVE-2017-10101\", \"CVE-2017-10102\", \"CVE-2017-10107\", \"CVE-2017-10108\", \"CVE-2017-10109\", \"CVE-2017-10110\", \"CVE-2017-10115\", \"CVE-2017-10116\", \"CVE-2017-10135\", \"CVE-2017-10243\");\n script_osvdb_id(161398, 161399, 161401, 161402, 161403, 161404, 161406, 161407, 161409, 161410, 161412, 161413, 161420, 161422, 161424, 161425, 161426, 161428);\n script_xref(name:\"RHSA\", value:\"2017:2424\");\n script_xref(name:\"IAVA\", value:\"2017-A-0226\");\n\n script_name(english:\"CentOS 6 : java-1.7.0-openjdk (CESA-2017:2424)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.7.0-openjdk is now available for Red Hat\nEnterprise Linux 6 and Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* It was discovered that the DCG implementation in the RMI component\nof OpenJDK failed to correctly handle references. A remote attacker\ncould possibly use this flaw to execute arbitrary code with the\nprivileges of RMI registry or a Java RMI application. (CVE-2017-10102)\n\n* Multiple flaws were discovered in the RMI, JAXP, ImageIO, Libraries,\nAWT, Hotspot, and Security components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2017-10107, CVE-2017-10096, CVE-2017-10101,\nCVE-2017-10089, CVE-2017-10090, CVE-2017-10087, CVE-2017-10110,\nCVE-2017-10074, CVE-2017-10067)\n\n* It was discovered that the LDAPCertStore class in the Security\ncomponent of OpenJDK followed LDAP referrals to arbitrary URLs. A\nspecially crafted LDAP referral URL could cause LDAPCertStore to\ncommunicate with non-LDAP servers. (CVE-2017-10116)\n\n* It was discovered that the wsdlimport tool in the JAX-WS component\nof OpenJDK did not use secure XML parser settings when parsing WSDL\nXML documents. A specially crafted WSDL document could cause\nwsdlimport to use an excessive amount of CPU and memory, open\nconnections to other hosts, or leak information. (CVE-2017-10243)\n\n* A covert timing channel flaw was found in the DSA implementation in\nthe JCE component of OpenJDK. A remote attacker able to make a Java\napplication generate DSA signatures on demand could possibly use this\nflaw to extract certain information about the used key via a timing\nside channel. (CVE-2017-10115)\n\n* A covert timing channel flaw was found in the PKCS#8 implementation\nin the JCE component of OpenJDK. A remote attacker able to make a Java\napplication repeatedly compare PKCS#8 key against an attacker\ncontrolled value could possibly use this flaw to determine the key via\na timing side channel. (CVE-2017-10135)\n\n* It was discovered that the BasicAttribute and CodeSource classes in\nOpenJDK did not limit the amount of memory allocated when creating\nobject instances from a serialized form. A specially crafted\nserialized input stream could cause Java to consume an excessive\namount of memory. (CVE-2017-10108, CVE-2017-10109)\n\n* A flaw was found in the Hotspot component in OpenJDK. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions. (CVE-2017-10081)\n\n* It was discovered that the JPEGImageReader implementation in the 2D\ncomponent of OpenJDK would, in certain cases, read all image data even\nif it was not used later. A specially crafted image could cause a Java\napplication to temporarily use an excessive amount of CPU and memory.\n(CVE-2017-10053)\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2017-August/022517.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c20bfd53\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/16\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.151-2.6.11.0.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.151-2.6.11.0.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.151-2.6.11.0.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.151-2.6.11.0.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.151-2.6.11.0.el6_9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "amazon": [{"lastseen": "2017-08-16T05:08:03", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.151-2.6.11.0.74", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.151-2.6.11.0.74.amzn1.x86_64", "packageName": "java-1.7.0-openjdk-src", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.151-2.6.11.0.74", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.151-2.6.11.0.74.amzn1.i686", "packageName": "java-1.7.0-openjdk-src", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.151-2.6.11.0.74", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-debuginfo-1.7.0.151-2.6.11.0.74.amzn1.x86_64", "packageName": "java-1.7.0-openjdk-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.151-2.6.11.0.74", "arch": "noarch", "packageFilename": "java-1.7.0-openjdk-javadoc-1.7.0.151-2.6.11.0.74.amzn1.noarch", "packageName": "java-1.7.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.151-2.6.11.0.74", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-1.7.0.151-2.6.11.0.74.amzn1.x86_64", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.151-2.6.11.0.74", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-1.7.0.151-2.6.11.0.74.amzn1.i686", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.151-2.6.11.0.74", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.151-2.6.11.0.74.amzn1.i686", "packageName": "java-1.7.0-openjdk-demo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.151-2.6.11.0.74", "arch": "src", "packageFilename": "java-1.7.0-openjdk-1.7.0.151-2.6.11.0.74.amzn1.src", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.151-2.6.11.0.74", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.151-2.6.11.0.74.amzn1.x86_64", "packageName": "java-1.7.0-openjdk-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.151-2.6.11.0.74", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-debuginfo-1.7.0.151-2.6.11.0.74.amzn1.i686", "packageName": "java-1.7.0-openjdk-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.151-2.6.11.0.74", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.151-2.6.11.0.74.amzn1.i686", "packageName": "java-1.7.0-openjdk-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.151-2.6.11.0.74", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.151-2.6.11.0.74.amzn1.x86_64", "packageName": "java-1.7.0-openjdk-demo", "operator": "lt"}], "description": "**Issue Overview:**\n\nIt was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. ([CVE-2017-10102 __](<https://access.redhat.com/security/cve/CVE-2017-10102>))\n\nMultiple flaws were discovered in the RMI, JAXP, ImageIO, Libraries, AWT, Hotspot, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. ([CVE-2017-10107 __](<https://access.redhat.com/security/cve/CVE-2017-10107>), [CVE-2017-10096 __](<https://access.redhat.com/security/cve/CVE-2017-10096>), [CVE-2017-10101 __](<https://access.redhat.com/security/cve/CVE-2017-10101>), [CVE-2017-10089 __](<https://access.redhat.com/security/cve/CVE-2017-10089>), [CVE-2017-10090 __](<https://access.redhat.com/security/cve/CVE-2017-10090>), [CVE-2017-10087 __](<https://access.redhat.com/security/cve/CVE-2017-10087>), [CVE-2017-10110 __](<https://access.redhat.com/security/cve/CVE-2017-10110>), [CVE-2017-10074 __](<https://access.redhat.com/security/cve/CVE-2017-10074>), [CVE-2017-10067 __](<https://access.redhat.com/security/cve/CVE-2017-10067>))\n\nIt was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP servers. ([CVE-2017-10116 __](<https://access.redhat.com/security/cve/CVE-2017-10116>))\n\nIt was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak information. ([CVE-2017-10243 __](<https://access.redhat.com/security/cve/CVE-2017-10243>))\n\nA covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel. ([CVE-2017-10115 __](<https://access.redhat.com/security/cve/CVE-2017-10115>))\n\nA covert timing channel flaw was found in the PKCS#8 implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application repeatedly compare PKCS#8 key against an attacker controlled value could possibly use this flaw to determine the key via a timing side channel. ([CVE-2017-10135 __](<https://access.redhat.com/security/cve/CVE-2017-10135>))\n\nIt was discovered that the BasicAttribute and CodeSource classes in OpenJDK did not limit the amount of memory allocated when creating object instances from a serialized form. A specially crafted serialized input stream could cause Java to consume an excessive amount of memory. ([CVE-2017-10108 __](<https://access.redhat.com/security/cve/CVE-2017-10108>), [CVE-2017-10109 __](<https://access.redhat.com/security/cve/CVE-2017-10109>))\n\nA flaw was found in the Hotspot component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ([CVE-2017-10081 __](<https://access.redhat.com/security/cve/CVE-2017-10081>))\n\nIt was discovered that the JPEGImageReader implementation in the 2D component of OpenJDK would, in certain cases, read all image data even if it was not used later. A specially crafted image could cause a Java application to temporarily use an excessive amount of CPU and memory. ([CVE-2017-10053 __](<https://access.redhat.com/security/cve/CVE-2017-10053>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system. \n\n\n \n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-1.7.0.151-2.6.11.0.74.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.151-2.6.11.0.74.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.151-2.6.11.0.74.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.151-2.6.11.0.74.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.151-2.6.11.0.74.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.151-2.6.11.0.74.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.151-2.6.11.0.74.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-debuginfo-1.7.0.151-2.6.11.0.74.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.151-2.6.11.0.74.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.151-2.6.11.0.74.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.151-2.6.11.0.74.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.151-2.6.11.0.74.amzn1.x86_64 \n \n \n", "edition": 1, "reporter": "Amazon", "published": "2017-08-15T17:30:00", "title": "Critical: java-1.7.0-openjdk", "type": "amazon", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2017-10087", "CVE-2017-10107", "CVE-2017-10243", "CVE-2017-10135", "CVE-2017-10101", "CVE-2017-10108", "CVE-2017-10090", "CVE-2017-10096", "CVE-2017-10110", "CVE-2017-10115", "CVE-2017-10116", "CVE-2017-10067", "CVE-2017-10074", "CVE-2017-10053", "CVE-2017-10081", "CVE-2017-10089", "CVE-2017-10109", "CVE-2017-10102"], "modified": "2017-08-15T17:30:00", "id": "ALAS-2017-869", "href": "https://alas.aws.amazon.com/ALAS-2017-869.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "filippoio": [{"lastseen": "2017-08-15T18:09:27", "references": [], "description": "Go has good support for calling into assembly, and a lot of the fast cryptographic code in the stdlib is carefully optimized assembly, bringing speedups of over 20 times.\n\nHowever, writing assembly code is hard, reviewing it is possibly harder, and [cryptography is unforgiving](<https://groups.google.com/forum/#!topic/golang-announce/B5ww0iFt1_Q>). Wouldn't it be nice if we could write these hot functions in a higher level language?\n\nThis post is the story of a slightly-less-than-sane experiment to call Rust code from Go fast enough to replace assembly. No need to know Rust, or compiler internals, but knowing what a linker is would help.\n\n## Why Rust\n\nI'll be upfront: I don't know Rust, and don't feel compelled to do my day-to-day programming in it. However, I know Rust is a very tweakable and optimizable language, while still more readable than assembly. (After all, everything is more readable than assembly!)\n\nGo strives to find defaults that are good for its core use cases, and only accepts features that are fast enough to be enabled by default, in a constant and successful fight against knobs. I love it for that. But for what we are doing today we need a language that won't flinch when asked to generate stack-only functions with manually hinted away safety checks.\n\nSo if there's a language that we might be able to constrain enough to behave like assembly, and to optimize enough to be as useful as assembly, it might be Rust.\n\nFinally, Rust is safe, actively developed, and not least, there's already a good ecosystem of high-performance Rust cryptography code to tap into.\n\n## Why not cgo\n\nGo has a [Foreign Function Interface](<https://en.wikipedia.org/wiki/Foreign_function_interface>), _cgo_. [cgo](<https://golang.org/cmd/cgo/>) allows Go programs to call C functions in the most natural way possible\u2014which is unfortunately not very natural at all. (I know [more than I'd like to about cgo](<https://speakerdeck.com/filosottile/from-cgo-back-to-go-gophercon-2016>), and I can tell you [it's not fun](<https://dave.cheney.net/2016/01/18/cgo-is-not-go>).)\n\nBy using the C [ABI](<https://en.wikipedia.org/wiki/Application_binary_interface>) as [lingua franca](<https://en.wikipedia.org/wiki/Lingua_franca>) of FFIs, we can call anything from anything: Rust can compile into a library exposing the C ABI, and cgo can use that. It's awkward, but it works.\n\nWe can even use reverse-cgo to build Go into a C library and call it from random languages, like [I did with Python as a stunt](<https://blog.filippo.io/building-python-modules-with-go-1-5/>). (It was a stunt folks, stop taking me seriously.)\n\nBut cgo does a lot of things to enable that bit of Go naturalness it provides: it will setup a whole stack for C to live in, it makes defer calls to prepare for a panic in a Go callback... this ~~could be~~ will be a whole post of its own.\n\nAs a result, the performance cost of each cgo call is way too high for the use case we are thinking about\u2014_small hot functions_.\n\n## Linking it together\n\nSo here's the idea: if we have Rust code that is as constrained as assembly, we should be able to use it **just like assembly**, and call straight into it. Maybe with a thin layer of glue.\n\nWe don't have to work at the [IR](<https://idea.popcount.org/2013-07-24-ir-is-better-than-assembly/>) level: the Go compiler converts both code and high-level assembly into machine code before linking [since Go 1.3](<https://talks.golang.org/2016/asm.slide>).\n\nThis is confirmed by the existence of \"[external linking](<https://docs.google.com/document/d/1nr-TQHw_er6GOQRsF6T43GGhFDelrAP0NqSS_00RgZQ/preview>)\", where the system linker is used to put together a Go program. It's how cgo works, too: it compiles C with the C compiler, Go with the Go compiler, and links it all together with `clang` or `gcc`. We can even pass flags to the linker with `CGO_LDFLAGS`.\n\nUnderneath all the safety features of cgo, we surely find a cross-language function call, after all.\n\nIt would be nice if we could figure out how to do this without patching the compiler, though. First, let's figure out how to link a Go program with a Rust archive.\n\nI could not find a decent way to link against a foreign blob with `go build` (why should there be one?) except using `#cgo` directives. However, invoking cgo [makes `.s` files go to the C compiler instead of the Go one](<https://github.com/golang/go/issues/19448>), and my friends, we _will_ need Go assembly.\n\nThankfully [go/build](<https://golang.org/pkg/go/build/>) is nothing but a frontend! Go offers a set of low level tools to [compile](<https://golang.org/cmd/compile/>) and [link](<https://golang.org/cmd/link/>) programs, `go build` just collects files and invokes those tools. We can follow what it does by using the `-x` flag.\n\nI built this small Makefile by following a `-x -ldflags \"-v -linkmode=external '-extldflags=-v'\"` invocation of a cgo build.\n \n \n rustgo: rustgo.a \n go tool link -o rustgo -extld clang -buildmode exe -buildid b01dca11ab1e -linkmode external -v rustgo.a\n \n rustgo.a: hello.go hello.o \n go tool compile -o rustgo.a -p main -buildid b01dca11ab1e -pack hello.go\n go tool pack r rustgo.a hello.o\n \n hello.o: hello.s \n go tool asm -I \"$(shell go env GOROOT)/pkg/include\" -D GOOS_darwin -D GOARCH_amd64 -o hello.o hello.s\n \n\nThis compiles a simple main package composed of a Go file (`hello.go`) and a Go assembly file (`hello.s`).\n\nNow, if we want to link in a Rust object we first build it as a static library...\n \n \n libhello.a: hello.rs \n rustc -g -O --crate-type staticlib hello.rs\n \n\n... and then just tell the external linker to link it together.\n \n \n rustgo: rustgo.a libhello.a \n go tool link -o rustgo -extld clang -buildmode exe -buildid b01dca11ab1e -linkmode external -v -extldflags='-lhello -L\"$(CURDIR)\"' rustgo.a\n \n \n \n $ make\n go tool asm -I \"/usr/local/Cellar/go/1.8.1_1/libexec/pkg/include\" -D GOOS_darwin -D GOARCH_amd64 -o hello.o hello.s \n go tool compile -o rustgo.a -p main -buildid b01dca11ab1e -pack hello.go \n go tool pack r rustgo.a hello.o \n rustc --crate-type staticlib hello.rs \n note: link against the following native artifacts when linking against this static library\n \n note: the order and any duplication can be significant on some platforms, and so may need to be preserved\n \n note: library: System\n \n note: library: c\n \n note: library: m\n \n go tool link -o rustgo -extld clang -buildmode exe -buildid b01dca11ab1e -linkmode external -v -extldflags=\"-lhello -L/Users/filippo/code/misc/rustgo\" rustgo.a \n HEADER = -H1 -T0x1001000 -D0x0 -R0x1000 \n searching for runtime.a in /usr/local/Cellar/go/1.8.1_1/libexec/pkg/darwin_amd64/runtime.a \n searching for runtime/cgo.a in /usr/local/Cellar/go/1.8.1_1/libexec/pkg/darwin_amd64/runtime/cgo.a \n 0.00 deadcode\n 0.00 pclntab=166785 bytes, funcdata total 17079 bytes\n 0.01 dodata\n 0.01 symsize = 0\n 0.01 symsize = 0\n 0.01 reloc\n 0.01 dwarf\n 0.02 symsize = 0\n 0.02 reloc\n 0.02 asmb\n 0.02 codeblk\n 0.03 datblk\n 0.03 sym\n 0.03 headr\n 0.06 host link: \"clang\" \"-m64\" \"-gdwarf-2\" \"-Wl,-headerpad,1144\" \"-Wl,-no_pie\" \"-Wl,-pagezero_size,4000000\" \"-o\" \"rustgo\" \"-Qunused-arguments\" \"/var/folders/ry/v14gg02d0y9cb2w9809hf6ch0000gn/T/go-link-412633279/go.o\" \"/var/folders/ry/v14gg02d0y9cb2w9809hf6ch0000gn/T/go-link-412633279/000000.o\" \"-g\" \"-O2\" \"-lpthread\" \"-lhello\" \"-L/Users/filippo/code/misc/rustgo\"\n 0.34 cpu time\n 12641 symbols \n 5764 liveness data \n \n\n## Jumping into Rust\n\nAlright, so we linked it, but the symbols are not going to do anything just by sitting next to each other. We need to somehow call the Rust function from our Go code.\n\nWe know how to call a Go function from Go. In assembly the same call looks like `CALL hello(SB)`, where SB is a virtual register all global symbols are relative to.\n\nIf we want to call an assembly function from Go we make the compiler aware of its existence like a C header, by writing `func hello()` without a function body.\n\nI tried all combinations of the above to call an external (Rust) function, but they all complained that they couldn't find either the symbol name, or the function body.\n\nBut cgo, which at the end of the day is just a giant code generator, somehow manages to eventually invoke that foreign function! How?\n\nI stumbled upon [the answer](<https://github.com/golang/go/blob/c3c2e453c968c7b450c59a47dc9502bd44257164/src/cmd/cgo/out.go#L1475-L1478>) a couple days later.\n \n \n //go:cgo_import_static _cgoPREFIX_Cfunc__Cmalloc\n //go:linkname __cgofn__cgoPREFIX_Cfunc__Cmalloc _cgoPREFIX_Cfunc__Cmalloc\n var __cgofn__cgoPREFIX_Cfunc__Cmalloc byte \n var _cgoPREFIX_Cfunc__Cmalloc = unsafe.Pointer(&__cgofn__cgoPREFIX_Cfunc__Cmalloc) \n \n\nThat looks like an interesting pragma! `//go:linkname` just creates a symbol alias in the local scope (which [can be used to call private functions](<https://sitano.github.io/2016/04/28/golang-private/>)!), and I'm pretty sure the `byte` trick is only cleverness to have something to take the address of, but `//go:cgo_import_static`... this imports an external symbol!\n\nArmed with this new tool and the Makefile above, we have a chance to invoke this Rust function (`hello.rs`)\n \n \n #[no_mangle]\n pub extern fn hello() { \n println!(\"Hello, Rust!\");\n }\n \n\n(The no-mangle-pub-extern incantation is from [this tutorial](<https://doc.rust-lang.org/1.5.0/book/rust-inside-other-languages.html>).)\n\nfrom this Go program (`hello.go`)\n \n \n package main\n \n //go:cgo_import_static hello\n \n func trampoline()\n \n func main() { \n println(\"Hello, Go!\")\n trampoline()\n }\n \n\nwith the help of this assembly snippet. (`hello.s`)\n \n \n TEXT \u00b7trampoline(SB), 0, $2048 \n JMP hello(SB)\n RET\n \n\n`CALL` was a bit too smart to work, but using a simple `JMP`...\n \n \n Hello, Go! \n Hello, Rust! \n panic: runtime error: invalid memory address or nil pointer dereference \n [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x0]\n \n\n\ud83d\udca5\n\nWell, it crashes when it tries to return. Also that `$2048` value is the whole stack size Rust is allowed (if it's even putting the stack in the right place), and don't ask me what happens if Rust tries to touch a heap... but hell, I'm surprised it works at all!\n\n## Calling conventions\n\nNow, to make it return cleanly, and take some arguments, we need to look more closely at the Go and Rust calling conventions. A [calling convention](<https://en.wikipedia.org/wiki/Calling_convention>) defines where arguments and return values sit across function calls.\n\nThe Go calling convention is described [here](<https://github.com/golang/go/files/447163/GoFunctionsInAssembly.pdf>) and [here](<https://golang.org/doc/asm>). For Rust we'll look at the [default for FFI](<https://doc.rust-lang.org/beta/book/first-edition/ffi.html#calling-rust-code-from-c>), which is the standard C calling convention.\n\nTo keep going we're going to need a debugger. (LLDB supports Go, but [breakpoints are somehow broken on macOS](<https://github.com/golang/go/issues/20568>), so I had to play inside a privileged Docker container.)\n\n![Zelda dangerous to go alone](https://blog.filippo.io/content/images/2017/08/zelda-2.png)\n\n### The Go calling convention\n\n![Go calling convention diagram](https://blog.filippo.io/content/images/2017/08/Go-stack-layout-3.png)\n\nThe Go calling convention is mostly [undocumented](<https://github.com/golang/go/issues/16922>), but we'll need to understand it to proceed, so here is what we can learn from a disassembly (amd64 specific). Let's look at a very simple function.\n \n \n // func foo(x, y uint64) uint64\n TEXT \u00b7foo(SB), 0, $256-24 \n MOVQ x+0(FP), DX\n MOVQ DX, ret+16(FP)\n RET\n \n\n`foo` has 256 (0x100) bytes of local frame, 16 bytes of arguments, 8 bytes of return value, and it returns its first argument.\n \n \n func main() { \n foo(0xf0f0f0f0f0f0f0f0, 0x5555555555555555)\n \n \n \n rustgo[0x49d785]: movabsq $-0xf0f0f0f0f0f0f10, %rax \n rustgo[0x49d78f]: movq %rax, (%rsp) \n rustgo[0x49d793]: movabsq $0x5555555555555555, %rax \n rustgo[0x49d79d]: movq %rax, 0x8(%rsp) \n rustgo[0x49d7a2]: callq 0x49d8a0 ; main.foo at hello.s:14 \n \n\nThe caller, seen above, does very little: it places the arguments on the stack in reverse order, at the bottom of its own frame (`rsp` to `16(rsp)`, remember that the stack grows down) and executes `CALL`. The `CALL` will push the return pointer to the stack and jump. There's no caller cleanup, just a plain `RET`.\n\nNotice that `rsp` is fixed, and we have `movq`s, not `push`s.\n \n \n rustgo`main.foo at hello.s:14: \n rustgo[0x49d8a0]: movq %fs:-0x8, %rcx \n rustgo[0x49d8a9]: leaq -0x88(%rsp), %rax \n rustgo[0x49d8b1]: cmpq 0x10(%rcx), %rax \n rustgo[0x49d8b5]: jbe 0x49d8ee ; main.foo + 78 at hello.s:14 \n [...]\n rustgo[0x49d8ee]: callq 0x495d10 ; runtime.morestack_noctxt at asm_amd64.s:405 \n rustgo[0x49d8f3]: jmp 0x49d8a0 ; main.foo at hello.s:14 \n \n\nThe first 4 and last 2 instructions of the function are checking if there is enough space for the stack, and if not calling `runtime.morestack`. They are probably skipped for `NOSPLIT` functions.\n \n \n rustgo[0x49d8b7]: subq $0x108, %rsp \n [...]\n rustgo[0x49d8e6]: addq $0x108, %rsp \n rustgo[0x49d8ed]: retq \n \n\nThen there's the `rsp` management, which subtracts 0x108, making space for the entire 0x100 bytes of frame in one go, and the 8 bytes of frame pointer. So `rsp` points to the bottom (the end) of the function frame, and is callee managed. Before returning, `rsp` is returned to where it was (just past the return pointer).\n \n \n rustgo[0x49d8be]: movq %rbp, 0x100(%rsp) \n rustgo[0x49d8c6]: leaq 0x100(%rsp), %rbp \n [...]\n rustgo[0x49d8de]: movq 0x100(%rsp), %rbp \n \n\nFinally the [frame pointer](<https://stackoverflow.com/questions/579262/what-is-the-purpose-of-the-ebp-frame-pointer-register>), which is effectively pushed to the stack just after the return pointer, and updated at `rbp`. So `rbp` is also callee saved, and should be updated to point at where the caller's `rbp` is stored to enable stack trace unrolling.\n \n \n rustgo[0x49d8ce]: movq 0x110(%rsp), %rdx \n rustgo[0x49d8d6]: movq %rdx, 0x120(%rsp) \n \n\nFinally, from the body itself we learn that return values go just above the arguments.\n\n#### Virtual registers\n\nThe Go docs say that `SP` and `FP` are virtual registers, not just aliases of `rsp` and `rbp`.\n\nIndeed, when accessing `SP` from Go assembly, the offsets are adjusted relative to the real `rsp` so that `SP` points to the top, not the bottom, of the frame. That's convenient because it means not having to change all offsets when changing the frame size, but it's just syntactic sugar. Naked access to the register (like `MOVQ SP, DX`) accesses `rsp` directly.\n\nThe `FP` virtual register is simply an adjusted offset over `rsp`, too. It points to the bottom of the caller frame, where arguments are, and there's no direct access.\n\nNote: Go maintains `rbp` and frame pointers to help debugging, but then uses a fixed `rsp` and `omit-stack-pointer`-style `rsp` offsets for the virtual `FP`. You can learn more about frame pointers and not using them from [this Adam Langley blog post](<https://www.imperialviolet.org/2017/01/18/cfi.html>).\n\n### The C calling convention\n\n\"[sysv64](<https://en.wikipedia.org/wiki/X86_calling_conventions#System_V_AMD64_ABI>)\", the default C calling convention on x86-64, is quite different:\n\n * The arguments are passed via registers: RDI, RSI, RDX, RCX, R8, and R9.\n * The return value goes to RAX.\n * Some registers are callee-saved: RBP, RBX, and R12\u2013R15. \n * We care little about this, since in Go all registers are caller-saved.\n * The stack must be aligned to 16-bytes. \n * (I think this is why `JMP` worked and `CALL` didn't, we failed to align the stack!)\n\nFrame pointers work the same way (and are generated by `rustc` with `-g`).\n\n### Gluing them together\n\nBuilding a simple trampoline between the two conventions won't be hard. We can also look at [`asmcgocall`](<https://github.com/golang/go/blob/57bf6aca711a53aa7fea877b98896cd0445c6ad0/src/runtime/asm_amd64.s#L585>) for inspiration, since it does approximately the same job, but for cgo.\n\nWe need to remember that we want the Rust function to use the stack space of our assembly function, since Go ensured for us that it's present. To do that, we have to rollback `rsp` from the end of the stack.\n \n \n package main\n \n //go:cgo_import_static increment\n func trampoline(arg uint64) uint64\n \n func main() { \n println(trampoline(41))\n }\n \n\n\u2b07\n \n \n TEXT \u00b7trampoline(SB), 0, $2048-16 \n MOVQ arg+0(FP), DI // Load the argument before messing with SP\n MOVQ SP, BX // Save SP in a callee-saved registry\n ADDQ $2048, SP // Rollback SP to reuse this function's frame\n ANDQ $~15, SP // Align the stack to 16-bytes\n CALL increment(SB)\n MOVQ BX, SP // Restore SP\n MOVQ AX, ret+8(FP) // Place the return value on the stack\n RET\n \n\n\u2b07\n \n \n #[no_mangle]\n pub extern fn increment(a: u64) -> u64 { \n return a + 1;\n }\n \n\n### CALL on macOS\n\n`CALL` didn't quite work on macOS. For some reason, there the function call was replaced with an intermediate call to `_cgo_thread_start`, which is not that incredible considering we are using something called `cgo_import_static` and that `CALL` is virtual in Go assembly.\n \n \n callq 0x40a27cd ; x_cgo_thread_start + 29 \n \n\nWe can bypass that \"helper\" by using the full `//go:linkname` incantation we found in the standard library to take a pointer to the function, and then calling the function pointer, like this.\n \n \n import _ \"unsafe\"\n \n //go:cgo_import_static increment\n //go:linkname increment increment\n var increment uintptr \n var _increment = &increment \n \n \n \n MOVQ \u00b7_increment(SB), AX\n CALL AX\n \n\n## Is it fast?\n\nThe point of this whole exercise is to be able to call Rust instead of assembly for cryptographic operations (and to have fun). So a rustgo call will have to be almost [as fast as an assembly call](<https://speakerdeck.com/gtank/i-wanna-go-fast>) to be useful.\n\nBenchmark time!\n\nWe'll compare incrementing a uint64 inline, with a `//go:noinline` function, with the rustgo call above, and with a cgo call to the exact same Rust function.\n\nRust was compiled with `-g -O`, and the benchmarks were run on macOS on a 2.9GHz Intel Core i5.\n \n \n name time/op \n CallOverhead/Inline 1.72ns \u00b1 3% \n CallOverhead/Go 4.60ns \u00b1 2% \n CallOverhead/rustgo 5.11ns \u00b1 4% \n CallOverhead/cgo 73.6ns \u00b1 0% \n \n\nrustgo is 11% slower than a Go function call, and almost 15 times faster than cgo!\n\nThe performance is even better when run on Linux without the function pointer workaround, with only a 2% overhead.\n \n \n name time/op \n CallOverhead/Inline 1.67ns \u00b1 2% \n CallOverhead/Go 4.49ns \u00b1 3% \n CallOverhead/rustgo 4.58ns \u00b1 3% \n CallOverhead/cgo 69.4ns \u00b1 0% \n \n\n## A real example\n\nFor a real-world demo, I picked the excellent curve25519-dalek library, and specifically the task of multiplying the curve basepoint by a scalar and returning its Edwards representation.\n\nThe Cargo benchmarks swing widely between executions because of [CPU frequency scaling](<https://wiki.debian.org/HowTo/CpuFrequencyScaling>), but they suggest the operation will take 22.9\u00b5s \u00b1 17%.\n \n \n test curve::bench::basepoint_mult ... bench: 17,276 ns/iter (+/- 3,057) \n test curve::bench::edwards_compress ... bench: 5,633 ns/iter (+/- 858) \n \n\nOn the Go side, we'll expose a simple API.\n \n \n func ScalarBaseMult(dst, in *[32]byte) \n \n\nOn the Rust side, it's not different from building [an interface for normal FFI](<https://doc.rust-lang.org/beta/book/first-edition/ffi.html#calling-rust-code-from-c>).\n\nI'll be honest, it took me forever to figure out enough Rust to make this work.\n \n \n #![no_std]\n \n extern crate curve25519_dalek; \n use curve25519_dalek::scalar::Scalar; \n use curve25519_dalek::constants;\n \n #[no_mangle]\n pub extern fn scalar_base_mult(dst: &mut [u8; 32], k: &[u8; 32]) { \n let res = &constants::ED25519_BASEPOINT_TABLE * &Scalar(*k);\n dst.clone_from(res.compress_edwards().as_bytes());\n }\n \n\nTo build the `.a` we use `cargo build --release` with a `Cargo.toml` that defines the dependencies, enables frame pointers, and configures curve25519-dalek to use its most efficient math and no standard library.\n \n \n [package]\n name = \"ed25519-dalek-rustgo\" \n version = \"0.0.0\"\n \n [lib]\n crate-type = [\"staticlib\"]\n \n [dependencies.curve25519-dalek]\n version = \"^0.9\" \n default-features = false \n features = [\"nightly\"]\n \n [profile.release]\n debug = true \n \n\nFinally, we need to adjust the trampoline to take two arguments and return no value.\n \n \n TEXT \u00b7ScalarBaseMult(SB), 0, $16384-16 \n MOVQ dst+0(FP), DI\n MOVQ in+8(FP), SI\n \n MOVQ SP, BX\n ADDQ $16384, SP\n ANDQ $~15, SP\n \n MOVQ \u00b7_scalar_base_mult(SB), AX\n CALL AX\n \n MOVQ BX, SP\n RET\n \n\nThe result is a transparent Go call with performance that closely resembles the pure Rust benchmark, and is almost 6% faster than cgo!\n \n \n name old time/op new time/op delta \n RustScalarBaseMult 23.7\u00b5s \u00b1 1% 22.3\u00b5s \u00b1 4% -5.88% (p=0.003 n=5+7) \n \n\nFor comparison, similar functionality is provided by github.com/agl/ed25519/edwards25519, and that pure-Go library takes almost 3 times as long.\n \n \n h := &edwards25519.ExtendedGroupElement{} \n edwards25519.GeScalarMultBase(h, &k) \n h.ToBytes(&dst) \n \n \n \n name time/op \n GoScalarBaseMult 66.1\u00b5s \u00b1 2% \n \n\n## Packaging up\n\nNow we know it actually works, that's exciting! But to be usable it will have to be an importable package, not forced into `package main` by a weird build process.\n\nThis is where [`//go:binary-only-package`](<https://github.com/golang/proposal/blob/master/design/2775-binary-only-packages.md>) comes in! That annotation allows us to tell the compiler to ignore the source of the package, and to only use the pre-built `.a` library file in `$GOPATH/pkg`.\n\nIf we can manage to build a `.a` file that works with Go's native linker ([cmd/link](<https://godoc.org/cmd/link>), referred to also as the _internal_ linker), **we can redistribute that and it will let our users import the package as if it was a native one**, including cross-compiling (provided we included a `.a` for that platform)!\n\nThe Go side is easy, and pairs with the assembly and Rust we already have. We can even include docs for `go doc`'s benefit.\n \n \n //go:binary-only-package\n \n // Package edwards25519 implements operations on an Edwards curve that is\n // isomorphic to curve25519.\n //\n // Crypto operations are implemented by calling directly into the Rust\n // library curve25519-dalek, without cgo.\n //\n // You should not actually be using this.\n package edwards25519\n \n import _ \"unsafe\"\n \n //go:cgo_import_static scalar_base_mult\n //go:linkname scalar_base_mult scalar_base_mult\n var scalar_base_mult uintptr \n var _scalar_base_mult = &scalar_base_mult\n \n // ScalarBaseMult multiplies the scalar in by the curve basepoint, and writes\n // the compressed Edwards representation of the resulting point to dst.\n func ScalarBaseMult(dst, in *[32]byte) \n \n\nThe Makefile will have to change quite a bit\u2014since we aren't building a binary anymore we don't get to keep using `go tool link`.\n\nA `.a` archive is just a pack of `.o` object files in [an ancient format with a symbol table](<https://en.wikipedia.org/wiki/Ar_> \"Unix\" ). If we could get the symbols from the Rust `libed25519_dalek_rustgo.a` library into the `edwards25519.a` archive that `go tool compile` made, we _should_ be golden.\n\n`.a` archives are managed by the `ar` UNIX tool, or by its Go internal counterpart, [cmd/pack](<https://godoc.org/cmd/pack>) (as in `go tool pack`). The two formats are ever-so-subtly different, of course. We'll need to use the platform `ar` for `libed25519_dalek_rustgo.a` and the Go cmd/pack for `edwards25519.a`.\n\n(For example, the platform `ar` on my macOS uses [the BSD convention](<https://en.wikipedia.org/wiki/Ar_\\(Unix\\)#BSD_variant>) of calling files `#1/LEN` and then embedding the filename of length LEN at the beginning of the file, to exceed the 16 bytes max file length. That was confusing.)\n\nTo bundle the two libraries I tried doing the simplest (read: hackish) thing: extract `libed25519_dalek_rustgo.a` into a temporary folder, and then pack the objects back into `edwards25519.a`.\n \n \n edwards25519/edwards25519.a: edwards25519/rustgo.go edwards25519/rustgo.o target/release/libed25519_dalek_rustgo.a \n go tool compile -N -l -o $@ -p main -pack edwards25519/rustgo.go\n go tool pack r $@ edwards25519/rustgo.o # from edwards25519/rustgo.s\n mkdir -p target/release/libed25519_dalek_rustgo && cd target/release/libed25519_dalek_rustgo && \\\n rm -f *.o && ar xv \"$(CURDIR)/target/release/libed25519_dalek_rustgo.a\"\n go tool pack r $@ target/release/libed25519_dalek_rustgo/*.o\n \n .PHONY: install\n install: edwards25519/edwards25519.a \n mkdir -p \"$(shell go env GOPATH)/pkg/darwin_amd64/$(IMPORT_PATH)/\"\n cp edwards25519/edwards25519.a \"$(shell go env GOPATH)/pkg/darwin_amd64/$(IMPORT_PATH)/\"\n \n\nImagine my surprise when it worked!\n\nWith the `.a` in place it's just a matter of making a simple program using the package.\n \n \n package main\n \n import ( \n \"bytes\"\n \"encoding/hex\"\n \"fmt\"\n \"testing\"\n \n \"github.com/FiloSottile/ed25519-dalek-rustgo/edwards25519\"\n )\n \n func main() { \n input, _ := hex.DecodeString(\"39129b3f7bbd7e17a39679b940018a737fc3bf430fcbc827029e67360aab3707\")\n expected, _ := hex.DecodeString(\"1cc4789ed5ea69f84ad460941ba0491ff532c1af1fa126733d6c7b62f7ebcbcf\")\n \n var dst, k [32]byte\n copy(k[:], input)\n \n edwards25519.ScalarBaseMult(&dst, &k)\n if !bytes.Equal(dst[:], expected) {\n fmt.Println(\"rustgo produces a wrong result!\")\n }\n \n fmt.Printf(\"BenchmarkScalarBaseMult\\t%v\\n\", testing.Benchmark(func(b *testing.B) {\n for i := 0; i < b.N; i++ {\n edwards25519.ScalarBaseMult(&dst, &k)\n }\n }))\n }\n \n\nAnd running `go build`!\n \n \n $ go build -ldflags '-linkmode external -extldflags -lresolv'\n $ ./ed25519-dalek-rustgo\n BenchmarkScalarBaseMult 100000 19914 ns/op \n \n\nWell, it almost worked. We cheated. The binary would not compile unless we linked it to `libresolv`. To be fair, the Rust compiler tried to tell us. (But who listens to everything the Rust compiler tells you anyway?)\n \n \n note: link against the following native artifacts when linking against this static library\n \n note: the order and any duplication can be significant on some platforms, and so may need to be preserved\n \n note: library: System\n \n note: library: resolv\n \n note: library: c\n \n note: library: m \n \n\nNow, linking against system libraries would be a problem, because it will never happen with internal linking and cross-compilation...\n\nBut hold on a minute, _libresolv_?! Why does our `no_std`, \"should be like assembly\", stack only Rust library want to _resolve DNS names_?\n\n### I really meant `no_std`\n\nThe problem is that the library is not actually `no_std`. Look at all that stuff in there! We want nothing to do with allocators!\n \n \n $ ar t target/release/libed25519_dalek_rustgo.a\n __.SYMDEF \n ed25519_dalek_rustgo-742a1d9f1c101d86.0.o \n ed25519_dalek_rustgo-742a1d9f1c101d86.crate.allocator.o \n curve25519_dalek-03e3ca0f6d904d88.0.o \n subtle-cd04b61500f6e56a.0.o \n std-72653eb2361f5909.0.o \n panic_unwind-d0b88496572d35a9.0.o \n unwind-da13b913698118f9.0.o \n arrayref-2be0c0ff08ae2c7d.0.o \n digest-f1373d68da35ca45.0.o \n generic_array-95ca86a62dc11ddc.0.o \n nodrop-7df18ca19bb4fc21.0.o \n odds-3bc0ea0bdf8209aa.0.o \n typenum-a61a9024d805e64e.0.o \n rand-e0d585156faee9eb.0.o \n alloc_system-c942637a1f049140.0.o \n libc-e038d130d15e5dae.0.o \n alloc-0e789b712308019f.0.o \n std_unicode-9735142be30abc63.0.o \n compiler_builtins-8a5da980a34153c7.0.o \n absvdi2.o \n absvsi2.o \n absvti2.o \n [... snip ...]\n truncsfhf2.o \n ucmpdi2.o \n ucmpti2.o \n core-9077840c2cc91cbf.0.o \n \n\nSo how do we actually make it `no_std`? This turned out to be [an entire side-quest](<https://twitter.com/FiloSottile/status/894663496410988544>), but I'll give you a recap.\n\n * If any dependency is not `no_std`, your `no_std` flag is nullified. One of the `curve25519-dalek` dependencies had this problem, `cargo update` fixed that.\n * Actually making a `no_std` _staticlib_ (that is, an library for external use, as opposed to for inclusion in a Rust program) is more like making a `no_std` _executable_, which is much harder as it must be self-contained.\n * The docs on how to make a `no_std` _executable_ are sparse. I mostly used [an old version of the Rust book](<https://doc.rust-lang.org/1.5.0/book/no-stdlib.html>) and eventually found [this section in the lang_items chapter](<https://doc.rust-lang.org/beta/unstable-book/language-features/lang-items.html#writing-an-executable-without-stdlib>). [This blog post](<https://os.phil-opp.com/set-up-rust/>) was useful.\n * For starters, you need to define \"lang_items\" functions to handle functionality that is normally in the stdlib, like `panic_fmt`.\n * Then you are without the Rust equivalents of `compiler-rt`, so you have to import the crate compiler_builtins. ([rust-lang/rust#43264](<https://github.com/rust-lang/rust/issues/43264>))\n * Then there's a problem with `rust_begin_unwind` being unexported, which don't ask me why but is solved by marking `panic_fmt` as `no_mangle`, which the linter is not happy about. ([rust-lang/rust#38281](<https://github.com/rust-lang/rust/issues/38281>))\n * Then you are without `memcpy`, but thankfully there's a native Rust reimplementation in the [rlibc](<https://github.com/alexcrichton/rlibc>) crate. Super useful [learning](<https://github.com/rust-lang-nursery/compiler-builtins/issues/182>) that `nm -u` will tell you what symbols are missing from an object.\n\nThis all boils down to a bunch of arcane lines at the top of our `lib.rs`.\n \n \n #![no_std]\n #![feature(lang_items, compiler_builtins_lib, core_intrinsics)]\n use core::intrinsics; \n #[allow(private_no_mangle_fns)] #[no_mangle] // rust-lang/rust#38281\n #[lang = \"panic_fmt\"] fn panic_fmt() -> ! { unsafe { intrinsics::abort() } }\n #[lang = \"eh_personality\"] extern fn eh_personality() {}\n extern crate compiler_builtins; // rust-lang/rust#43264 \n extern crate rlibc; \n \n\nAnd with that, `go build` works (!!!) on macOS.\n\n### Linux\n\nOn Linux nothing works.\n\nExternal linking complains about `fmax` and other symbols missing, and it seems to be right.\n \n \n $ ld -r -o linux.o target/release/libed25519_dalek_rustgo/*.o\n $ nm -u linux.o\n U _GLOBAL_OFFSET_TABLE_\n U abort\n U fmax\n U fmaxf\n U fmaxl\n U logb\n U logbf\n U logbl\n U scalbn\n U scalbnf\n U scalbnl\n \n\nA friend thankfully suggested making sure that I was using `--gc-sections` to strip dead code, which might reference things I don't actually need. And sure enough, this worked. (That's three layers of flag-passing right there.)\n \n \n $ go build -ldflags '-extld clang -linkmode external -extldflags -Wl,--gc-sections'\n \n\nBut umh, in the Makefile we aren't using a linker at all, so where do we put `--gc-sections`? The answer is to stop hacking `.a`s together and actually reading the [linker man page](<https://linux.die.net/man/1/ld>).\n\nWe can build a `.o` containing a given symbol and all the symbols it references with `ld -r --gc-sections -u $SYMBOL`. `-r` makes the object reusable for a later link, and `-u` marks a symbol as needed, or everything would end up garbage collected. `$SYMBOL` is `scalar_base_mult` in our case.\n\nWhy wasn't this a problem on macOS? It would have been if we linked manually, but the macOS compiler apparently does dead symbol stripping by default.\n \n \n $ ld -e _scalar_base_mult target/release/libed25519_dalek_rustgo/*.o\n Undefined symbols for architecture x86_64: \n \"___assert_rtn\", referenced from:\n _compilerrt_abort_impl in int_util.o\n \"_copysign\", referenced from:\n ___divdc3 in divdc3.o\n ___muldc3 in muldc3.o\n \"_copysignf\", referenced from:\n ___divsc3 in divsc3.o\n ___mulsc3 in mulsc3.o\n \"_copysignl\", referenced from:\n ___divxc3 in divxc3.o\n ___mulxc3 in mulxc3.o\n \"_fmax\", referenced from:\n ___divdc3 in divdc3.o\n \"_fmaxf\", referenced from:\n ___divsc3 in divsc3.o\n \"_fmaxl\", referenced from:\n ___divxc3 in divxc3.o\n \"_logb\", referenced from:\n ___divdc3 in divdc3.o\n \"_logbf\", referenced from:\n ___divsc3 in divsc3.o\n \"_logbl\", referenced from:\n ___divxc3 in divxc3.o\n \"_scalbn\", referenced from:\n ___divdc3 in divdc3.o\n \"_scalbnf\", referenced from:\n ___divsc3 in divsc3.o\n \"_scalbnl\", referenced from:\n ___divxc3 in divxc3.o\n ld: symbol(s) not found for inferred architecture x86_64 \n $ ld -e _scalar_base_mult -dead_strip target/release/libed25519_dalek_rustgo/*.o\n \n\nThis is also the part where [we learn painfully that the macOS platform prepends a `_` to all symbol names](<https://github.com/rust-lang/rust/issues/35052>), because reasons.\n\nSo here's the Makefile portion that will work with external linking out of the box.\n \n \n edwards25519/edwards25519.a: edwards25519/rustgo.go edwards25519/rustgo.o edwards25519/libed25519_dalek_rustgo.o \n go tool compile -N -l -o $@ -p main -pack edwards25519/rustgo.go\n go tool pack r $@ edwards25519/rustgo.o edwards25519/libed25519_dalek_rustgo.o\n \n edwards25519/libed25519_dalek_rustgo.o: target/$(TARGET)/release/libed25519_dalek_rustgo.a \n ifeq ($(shell go env GOOS),darwin) \n $(LD) -r -o $@ -arch x86_64 -u \"_$(SYMBOL)\" $^\n else \n $(LD) -r -o $@ --gc-sections -u \"$(SYMBOL)\" $^\n endif \n \n\nThe last missing piece is internal linking on Linux. In short, [it was not linking the Rust code](<https://gist.github.com/FiloSottile/0d938bc4e8a7f3eab1fa4f672c334842#file-internal-linking-issue-diff>), even if the compilation seemed to succeed. The relocations were not happening and the `CALL` instructions in our Rust function left pointing at meaningless addresses.\n\nAt that point I felt like it had to be a silent linker bug, the final boss in implementing rustgo, and reached out to people much smarter than me. One of them was guiding me in [debugging cmd/link](<https://gist.github.com/FiloSottile/0d938bc4e8a7f3eab1fa4f672c334842#file-relocations-txt>) (which was fascinating!) when Ian Lance Taylor, the author of cgo, helpfully pointed out that `//cgo:cgo_import_static` is not enough for internal linking, and that I also wanted `//cgo:cgo_import_dynamic`.\n \n \n //go:cgo_import_static scalar_base_mult\n //go:cgo_import_dynamic scalar_base_mult\n \n\nI still have no idea _why_ leaving it out would result in that issue, but adding it finally made our rustgo package compile both with external and internal linking, on Linux and macOS, out of the box.\n\n### Redistributable\n\nNow that we can build a `.a`, we can take the suggestion in the [`//go:binary-only-package`](<https://github.com/golang/proposal/blob/master/design/2775-binary-only-packages.md>) spec, and build a tarball with `.a`s for `linux_amd64`/`darwin_amd64` and the package source, to untar into a GOPATH to install.\n \n \n $ tar tf ed25519-dalek-rustgo_go1.8.3.tar.gz\n src/github.com/FiloSottile/ed25519-dalek-rustgo/ \n src/github.com/FiloSottile/ed25519-dalek-rustgo/.gitignore \n src/github.com/FiloSottile/ed25519-dalek-rustgo/Cargo.lock \n src/github.com/FiloSottile/ed25519-dalek-rustgo/Cargo.toml \n src/github.com/FiloSottile/ed25519-dalek-rustgo/edwards25519/ \n src/github.com/FiloSottile/ed25519-dalek-rustgo/main.go \n src/github.com/FiloSottile/ed25519-dalek-rustgo/Makefile \n src/github.com/FiloSottile/ed25519-dalek-rustgo/release.sh \n src/github.com/FiloSottile/ed25519-dalek-rustgo/src/ \n src/github.com/FiloSottile/ed25519-dalek-rustgo/target.go \n src/github.com/FiloSottile/ed25519-dalek-rustgo/src/lib.rs \n src/github.com/FiloSottile/ed25519-dalek-rustgo/edwards25519/rustgo.go \n src/github.com/FiloSottile/ed25519-dalek-rustgo/edwards25519/rustgo.s \n pkg/linux_amd64/github.com/FiloSottile/ed25519-dalek-rustgo/edwards25519.a \n pkg/darwin_amd64/github.com/FiloSottile/ed25519-dalek-rustgo/edwards25519.a \n \n\nOnce installed like that, the package will be usable just like a native one, cross-compilation included (as long as we packaged a `.a` for the target)!\n\nThe only thing we have to worry about is that if we build Rust with `-Ctarget-cpu=native` it might not run on older CPUs. Thankfully benchmarks ([and the curve25519-dalek authors](<https://twitter.com/isislovecruft/status/887787163072507904>)) tell us that the only real difference is between post and pre-Haswell processors, so we only have to make a universal build and a Haswell one.\n \n \n $ benchstat bench-none.txt bench-haswell.txt\n name old time/op new time/op delta \n ScalarBaseMult/rustgo 22.0\u00b5s \u00b1 3% 20.2\u00b5s \u00b1 2% -8.41% (p=0.001 n=7+6) \n $ benchstat bench-haswell.txt bench-native.txt\n name old time/op new time/op delta \n ScalarBaseMult/rustgo 20.2\u00b5s \u00b1 2% 20.1\u00b5s \u00b1 2% ~ (p=0.945 n=6+7) \n \n\nAs the cherry on top, I made the Makefile obey GOOS/GOARCH, converting them as needed into Rust target triples, so if you have Rust set up for cross-compilation you can even cross-compile the `.a` itself.\n\nHere's the result: [github.com/FiloSottile/ed25519-dalek-rustgo/edwards25519](<https://github.com/FiloSottile/ed25519-dalek-rustgo>). It's even on [godoc](<https://godoc.org/github.com/FiloSottile/ed25519-dalek-rustgo/edwards25519>).\n\n## Turning it into a real thing\n\nWell, this was fun.\n\nBut to be clear, rustgo is not a real thing that you should use ~~in production~~. For example, I suspect I should be saving `g` before the jump, the stack size is completely arbitrary, and shrinking the trampoline frame like that will probably confuse the hell out of debuggers. Also, a panic in Rust might get weird.\n\nTo make it a real thing I'd start by calling `morestack` manually from a `NOSPLIT` assembly function to ensure we have enough goroutine stack space (instead of rolling back `rsp`) with a size obtained maybe from static analysis of the Rust function (instead of, well, made up).\n\nIt could all be analyzed, generated and built by some \"rustgo\" tool, instead of hardcoded in Makefiles and assembly files. cgo itself is little more than a code-generation tool after all. It might make sense as a `go:generate` thing, but I know someone who wants to make it a cargo command. (Finally some Rust-vs-Go fighting!) Also, a Rust-side collection of FFI types like, say, `GoSlice` would be nice.\n \n \n #[repr(C)]\n struct GoSlice { \n array: *mut u8,\n len: i32,\n cap: i32,\n }\n \n\nOr maybe a Go or Rust adult will come and tell us to stop before we get hurt.\n\nIn the meantime, you might want to [follow me on Twitter](<https://twitter.com/FiloSottile>).\n\n> Thanks (in no particular order) to David, Ian, Henry, Isis, Manish, Zaki, Anna, George, Kaylyn, Bill, David, Jess, Tony and Daniel for making this possible. Don't blame them for the mistakes and horrors, those are mine.\n\n> Calling Rust from Go without cgo. \n \nIs it fast? Yes. Should you do it? Probably not. Was it fun to hack? Extremely.<https://t.co/kcvbnYcDl5> [pic.twitter.com/2Vv0dMC3Ob](<https://t.co/2Vv0dMC3Ob>)\n> \n> -- Filippo Valsorda (@FiloSottile) [15 August 2017](<https://twitter.com/FiloSottile/status/897434109613674496>)\n\nP.S. Before anyone tries to compare this to cgo (which has many more safety features) or pure Go, it's not meant to replace neither. It's meant to replace manually written assembly with something much safer and more readable, with comparable performance. Or better yet, it was meant to be a fun experiment.", "reporter": "Filippo Valsorda", "published": "2017-08-15T12:20:08", "type": "filippoio", "title": "rustgo: calling Rust from Go with near-zero overhead", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-08-15T12:20:08", "id": "FILIPPOIO:43F117A33A04418E818B2AFD0AC3B8B0", "href": "https://blog.filippo.io/rustgo/", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2017-08-15T18:08:15", "references": [], "description": "<i>This post was authored by Dave Liebenberg</i><br /><br /><br />In the past few months, Talos has observed an uptick in the number of Chinese websites offering online DDoS services. Many of these websites have a nearly identical layout and design, offering a simple interface in which the user selects a target\u2019s host, port, attack method, and duration of attack. In addition, the majority of these sites have been registered within the past six months. However, the websites operate under different group names and have different registrants. In addition, Talos has observed administrators of these websites launching attacks on one another. Talos sought to research the actors responsible for creating these platforms and analyze why they have become more prevalent lately.<br /><br /><br />In this blog post, we will begin by looking at the DDoS industry in China and charting the shift toward online DDoS platforms. Then we will examine the types of DDoS platforms created recently, noting their similarities and differences. Finally, we will look into the source code likely responsible for the recent increase in these nearly identical DDoS websites.<br /><br /><a name='more'></a><br /><div><div><h3>DDoS-as-a-Service in China</h3></div><div><br /></div><div>DDoS tools and services remain some of the most popular offerings in the Chinese underground market. A look at one of the most popular Chinese marketplaces, DuTe (\u72ec\u7279), reveals a variety of DDoS-related tools, including actual attack tools as well as associated tools such as brute forcers for different vectors including SSH and RDP.&nbsp;</div><div><br /></div><div>In addition, Chinese social media applications such as WeChat and QQ have hundreds of group chats devoted to DDoS groups, tools, malware, and the exchange of targets. The people interacting in these channels include members of hacking groups, customers, as well as agents and advertisers who can act as intermediaries.&nbsp;</div><div><br /></div><div>Previously, the predominant offering in these group chats were tools that users could purchase, download, and then operate from their own machine. A good example of this type of tool was the TianFa Pressure Testing System.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://3.bp.blogspot.com/-6InGniD-Rks/WZMimqYkZTI/AAAAAAAAASA/bBlaDUQwPJYUsBSQ70bPpojMR1I1Xp90ACEwYBhgL/s1600/1.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"770\" data-original-width=\"1088\" height=\"452\" src=\"https://3.bp.blogspot.com/-6InGniD-Rks/WZMimqYkZTI/AAAAAAAAASA/bBlaDUQwPJYUsBSQ70bPpojMR1I1Xp90ACEwYBhgL/s640/1.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">TianFa DDoS tool</td></tr></tbody></table><br /><br />These kinds of tools manage and provide information about a user\u2019s botnet, and then allow the user to customize an attack event, selecting a target and choosing an attack method. Users can purchase the tool, download a copy, and use it with their own servers and botnets. Occasionally, hacker groups also bundle servers or a certain amount of bots with purchases, or include brute-forcing tools to help users grow their own botnet, but the end-user would be in charge of maintaining and deploying the tool.<br /><br /><h3>The Rise of Online DDoS Platforms</h3><br /><br />Recently, Talos has noticed a gradual paradigm shift underway in the group chats. Advertisements for online DDoS platforms have begun to appear more frequently.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://2.bp.blogspot.com/-T9zpSpavu6M/WZMiqz0fASI/AAAAAAAAAS0/8OszBOWrD5Q1klU0UeFQheL9jfnkYxzkgCEwYBhgL/s1600/2.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"243\" data-original-width=\"503\" height=\"191\" src=\"https://2.bp.blogspot.com/-T9zpSpavu6M/WZMiqz0fASI/AAAAAAAAAS0/8OszBOWrD5Q1klU0UeFQheL9jfnkYxzkgCEwYBhgL/s400/2.png\" width=\"400\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Advertiser promotes \u201cShaShen\u201d Online DDoS Website</td></tr></tbody></table><br /><br />After inspecting several of these websites, Talos noticed that many had identical login and registration pages, down to the same background image:<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-QIWWv5N77PA/WZMiq7IgzgI/AAAAAAAAAS0/lnEt44_R3kMDdzbla97D4ZDZjYYh7BwsACEwYBhgL/s1600/3.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"583\" data-original-width=\"1071\" height=\"348\" src=\"https://2.bp.blogspot.com/-QIWWv5N77PA/WZMiq7IgzgI/AAAAAAAAAS0/lnEt44_R3kMDdzbla97D4ZDZjYYh7BwsACEwYBhgL/s640/3.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\"><br /></div><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://1.bp.blogspot.com/-GmGwbO5tQaI/WZMirP3DuJI/AAAAAAAAAS0/ocneBFcH5YwIa_FxM-9-JMgoYydmGSu4wCEwYBhgL/s1600/4.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"557\" data-original-width=\"1056\" height=\"336\" src=\"https://1.bp.blogspot.com/-GmGwbO5tQaI/WZMirP3DuJI/AAAAAAAAAS0/ocneBFcH5YwIa_FxM-9-JMgoYydmGSu4wCEwYBhgL/s640/4.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\"><br /></div><div class=\"separator\" style=\"clear: both; text-align: center;\"><br /></div><br /><br />In addition, Talos observed that many of these websites have a nearly identical website design and layout, displaying the number of active users and servers online as well as the total number of attacks that have been carried out (although these numbers vary between groups). In addition, the sites contain announcements from group administrators on recent updates to the tool, its capabilities, or restrictions on its use. In the sidebar, users can register an account, purchase an activation code to begin launching an attack, and then attack a target, either through the graphical interface set up on the website or through identical command line calls with look like this:<br /><br />http://<b>website_name</b>/api.php?<b>username</b>=&amp;<b>password</b>=&amp;<b>host</b>=&amp;<b>port</b>=&amp;<b>time</b>=&amp;<b>method</b>=<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-0dZ_D-3slOA/WZMirAho3qI/AAAAAAAAAS0/0lfsQ0EQhaMxHL7Z_7yrhvqWwpSoVVGKwCEwYBhgL/s1600/5.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"835\" data-original-width=\"1252\" height=\"426\" src=\"https://3.bp.blogspot.com/-0dZ_D-3slOA/WZMirAho3qI/AAAAAAAAAS0/0lfsQ0EQhaMxHL7Z_7yrhvqWwpSoVVGKwCEwYBhgL/s640/5.png\" width=\"640\" /></a></div><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://4.bp.blogspot.com/-fZJTxozOkWs/WZMirElwgDI/AAAAAAAAAS0/KMOFyV9nFYsux28I2NAYeU3pMI_eUZr6gCEwYBhgL/s1600/6.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"744\" data-original-width=\"1600\" height=\"296\" src=\"https://4.bp.blogspot.com/-fZJTxozOkWs/WZMirElwgDI/AAAAAAAAAS0/KMOFyV9nFYsux28I2NAYeU3pMI_eUZr6gCEwYBhgL/s640/6.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Nearly identical website layout for ShaShen DDoS group and Wang Zhe sec DDoS group.</td></tr></tbody></table><br /><br /><br />Besides the uncanny similarities in design and function, the majority of the websites had the word \u201cddos\u201d in their domain names, i.e. \u201cshashenddos.club\u201d or \u201c87ddos.cc.\u201d Since these sites were all recently registered, beside relying on intelligence from Chinese social media, Talos was able to identify several new websites by using Cisco Umbrella\u2019s investigate tool to conduct a regex search for recently-registered domains with the word \u201cddos\u201d in them. Using these combined search methods, Talos was able to identify 32 nearly-identical Chinese online DDoS websites (presumably there are more out there, since not all of these websites had \u201cddos\u201d in the their domain name).<br /><br />Because of the similarities in the pages, and the fact that some individuals registered multiple sites for the same group, we initially suspected that one actor was potentially responsible for all the sites and was merely operating under different aliases. In order to test our theory we registered an account with each site and also used Cisco Umbrella\u2019s investigate tool to examine each site\u2019s registration info.<br /><br />We soon revised our one-actor theory. After registering accounts at various sites we noticed that many employed different third-party Chinese payment websites where users could purchase activation codes (typical prices range from around 20RMB for a day-use code to around 400RMB for a month-use pass). In addition, the announcements on the pages displayed different tool capabilities (some advertised attack power of 30-80gbps, while others went as high as 300gbps), as well as different contact information, including various QQ accounts for customer service as well as group chat numbers for customers and administrators to interact. There were also vast differences in the numbers of attacks and users, with one page (www[.]dk[.]ps88[.]org) listing 168,423 attacks made by 44,238 users and another (www[.]pc4[.]tw) listing 24 attacks made by 13 users.<br /><br />In addition, the websites\u2019 registration information also revealed key differences. Most of the websites had different registrant names and emails, as well as different registrar\u2019s listed. However, there were some similarities as well: almost all had used Chinese registrars, the majority were registered in the past 3 months, and nearly all were registered in the past year. In addition, over half were hosted on Cloudflare IPs.<br /><br />Our final confirmation that different actors were behind these websites came when Talos was monitoring a QQ group chat channel affiliated with one of these online DDoS platforms called Wang Zhe sec. We observed a group member requesting an attack on a rival online DDoS group, 87 DDoS, with which we had also already registered an account.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://3.bp.blogspot.com/-QEIHpNA6XSw/WZMirEZWaxI/AAAAAAAAAS0/M3AaUL9iaZsMHbZnR0mdapfrArNL6_l8wCEwYBhgL/s1600/7.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"366\" data-original-width=\"463\" height=\"315\" src=\"https://3.bp.blogspot.com/-QEIHpNA6XSw/WZMirEZWaxI/AAAAAAAAAS0/M3AaUL9iaZsMHbZnR0mdapfrArNL6_l8wCEwYBhgL/s400/7.png\" width=\"400\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">A member of Wang Zhe sec chat group requests attack on rival online DDoS website</td></tr></tbody></table><br /><br />Talos joined a number of group chats associated with online DDoS platforms and observed multiple actors discussing launching DDoS attacks on rival groups. Indeed, a look at some of the traffic of these online DDoS websites indicates that they had possibly experienced DDoS attacks.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://3.bp.blogspot.com/-TV859MqdP8k/WZMirdDaF7I/AAAAAAAAAS0/z437D4oracQTA_Vbo33uPZv6qna9zqn1ACEwYBhgL/s1600/8.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"406\" data-original-width=\"1220\" height=\"211\" src=\"https://3.bp.blogspot.com/-TV859MqdP8k/WZMirdDaF7I/AAAAAAAAAS0/z437D4oracQTA_Vbo33uPZv6qna9zqn1ACEwYBhgL/s640/8.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Traffic for the website of 87 DDoS reveals dramatic spike around July 1, 2017</td></tr></tbody></table><br /><br /><h3>A Glimpse Behind the Curtain</h3><br /><br />We had strong indications that multiple groups were building nearly identical online DDoS platforms, but still had no idea why they were using the same layout or why they had all begun to appear so recently. We began to gain insight into the story behind these questions after an actor in a group chat run by a Chinese hacker group posted a screenshot of the admin page for his online DDoS platform:<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://3.bp.blogspot.com/-Aqu7eM9BmnA/WZMirT-HpsI/AAAAAAAAAS0/RjqbC_Q8_WQLNx2e7SvGf0w_oF2FvKEvACEwYBhgL/s1600/9.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"656\" data-original-width=\"696\" height=\"600\" src=\"https://3.bp.blogspot.com/-Aqu7eM9BmnA/WZMirT-HpsI/AAAAAAAAAS0/RjqbC_Q8_WQLNx2e7SvGf0w_oF2FvKEvACEwYBhgL/s640/9.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">An actor posts a screenshot of their admin panel for their online DDoS platform</td></tr></tbody></table><br /><br />The screenshot showed a setup page where the actor could choose a name for the site, write a description, and provide links to the terms of service and URLs. Several items of interest jumped out at us, providing further avenues for research. First we noticed the word \u201cGemini\u201d in the top right corner. Second, we noticed the unique URL of \u201c/yolo/admin/settings.\u201d Finally, we noticed a button at the bottom of the screen where an administrator could select \u201cCloudflare mode\u201d, which reminded us how many of the websites had been hosted on Cloudflare IPs<br /><br /><h3>Finding and Analyzing the Source Code</h3><br /><br />We now had a hunch that the rise of these nearly identical websites was due to some sort of shared source code, which was likely being offered on Chinese underground hacking forums and marketplaces. We went to several of the forums and searched for the \u201c/yolo/admin/settings\u201d URL present in the screenshot. We discovered that several forums had posts offering the sale of source code for an online DDoS platform, all identifying it as a foreign DDoS platform that had been translated into Chinese.<br /><br />Many of the postings were made in early 2017 or late 2016, corresponding to the timeline of the rise in the DDoS platforms. And the pictures in the advertisements looked identical to websites we had been seeing:<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://1.bp.blogspot.com/-FdHXdVvCK8M/WZMiqZsMcHI/AAAAAAAAAS0/HV5gDtGjU-cCOJY1LV0goxrxQT8lYa8EACEwYBhgL/s1600/10.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"1378\" data-original-width=\"1408\" height=\"626\" src=\"https://1.bp.blogspot.com/-FdHXdVvCK8M/WZMiqZsMcHI/AAAAAAAAAS0/HV5gDtGjU-cCOJY1LV0goxrxQT8lYa8EACEwYBhgL/s640/10.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Example of an advertisement for the DDoS platform source code. Description reads: \u201cThis is a foreign DDoS platform source code, it has already been Sinicized, everybody is welcome to test if they want to start a DDoS platform.\u201d Note the design and the settings panel which looks similar to the screenshot an actor posted in a QQ channel, and includes the \u201cGemini\u201d in the top right corner.</td></tr></tbody></table><br /><br />Talos was able to obtain a copy of the source code and went about analyzing it. It was clear that the source code corresponded to the DDoS websites we observed. The PHP files contained icons that matched those found on the websites. In addition, the background that the majority of these sites employ was also found in the images folder:<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-bN52FOrOF5M/WZMiqfkctRI/AAAAAAAAAS0/Hv3JrHwIGrciGy6EoV0ehUNHYFD2yi7gwCEwYBhgL/s1600/11.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"747\" data-original-width=\"1179\" height=\"404\" src=\"https://2.bp.blogspot.com/-bN52FOrOF5M/WZMiqfkctRI/AAAAAAAAAS0/Hv3JrHwIGrciGy6EoV0ehUNHYFD2yi7gwCEwYBhgL/s640/11.png\" width=\"640\" /></a></div><br /><br />The source code revealed that the platform relied on Bootstrap front-end design and ajax to load content. In the CSS files we found an author named as Pixelcave. Researching Pixelcave, we discovered that they offered Bootstrap-based website designs that looked similar to the online Chinese DDoS websites we had examined. We also noticed that Pixelcave\u2019s logo was present in the top right hand corner of many of the DDoS websites we had found and was also included as an icon in the source code.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://3.bp.blogspot.com/-1IfbFV6pUMs/WZMiqXSHSQI/AAAAAAAAAS0/Of4hFIPboSUFmrICrquVoFQCeU9sQlrnQCEwYBhgL/s1600/12.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"114\" data-original-width=\"144\" src=\"https://3.bp.blogspot.com/-1IfbFV6pUMs/WZMiqXSHSQI/AAAAAAAAAS0/Of4hFIPboSUFmrICrquVoFQCeU9sQlrnQCEwYBhgL/s1600/12.png\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Logo for Pixelcave, which was present on all the DDoS websites we identified.</td></tr></tbody></table><br /><br />According to the source code, the platform has functions which pull information from mysql databases and assess a user\u2019s standing (i.e. the amount of attacks, duration of attacks, and number of concurrent attacks a user is allowed based on payments they have made). It then allows a user to input a host, select an attack method, (i.e. NTP, L7) and duration. Provided that the method is supported by the actors and the target is not blacklisted, it calls servers to begin carrying out the attacks.<br /><br />Interestingly, the source code provides a blacklist for sites that cannot be attacked, and includes \u201c.gov\u201d and \u201c.edu\u201d sites among them, although these can obviously be modified. In addition, it comes with a preloaded Terms of Service (in Mandarin) which absolves the administrators of the site from any responsibility for \u201cillegal\u201d acts and asserts that its services are only meant for testing purposes.<br /><br />The code also allows administrators to monitor payments made, outstanding tickets, as well as an overview of the total amount of logins and attacks being contracted, and details about the attacks such as the host, duration of the attack, and which server is conducting the attack. The administrator can also set up an activation code system.<br /><br />It is clear that the source code was originally written in English, but was modified so that the final platform would display Chinese language graphics (as advertised). The source code also provides options for administrators to set up payment systems through Paypal and Bitcoin. It is likely that Chinese actors would modify this by switching it to a Chinese payment system, like third-party payment sites or Chinese services like Alipay. In fact the icon for Paypal in one image folder is altered to resemble the Alipay icon.<br /><br />It is unclear as of the time of this writing where the original source code derived from. However, there are several English language websites that offer online DDoS services, such as the tool DataBooter. These websites have some similarities to the Chinese DDoS platforms. For instance, they have a bootstrap-based design, are hosted on Cloudflare, and have similar graphics conveying the number of attacks, users, and servers online.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://3.bp.blogspot.com/-k34M8x_RaqI/WZMiq1lJQ0I/AAAAAAAAAS0/UsG18JrZb8o9pFb85iHJD0EfddKtJPWSwCEwYBhgL/s1600/13.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"637\" data-original-width=\"1600\" height=\"254\" src=\"https://3.bp.blogspot.com/-k34M8x_RaqI/WZMiq1lJQ0I/AAAAAAAAAS0/UsG18JrZb8o9pFb85iHJD0EfddKtJPWSwCEwYBhgL/s640/13.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Layout for databooter[.]com. The layout is somewhat similar to the Chinese online DDoS websites.</td></tr></tbody></table><br /><br />Talos has observed actors selling source code for these types of English-language DDoS platforms on hacker forums in the past few years. It is possible that Chinese actors obtained this source code, or code based on it, and modified it to localize it more to Chinese consumers, though we have not found direct evidence of this.<br /><br /><h3>Conclusion</h3><br /><br />The recent uptick in Chinese online DDoS platforms seems to be connected to source code for sale on Chinese hacker forums. This source code appears to be a localized version of code originally written for English language online booters.<br /><br />Online DDoS platforms remain popular because of their easy-to-use interfaces and the fact that they already provide all necessary infrastructure to the user, so there is no need to build a botnet or purchase additional services. Instead, the user purchases an activation code through a trusted payment site and then simply enters in their target. This serves the function of enabling even the most novice of actors the capability to launch powerful attacks, depending on the strength of the DDoS group\u2019s backend infrastructure.<br /><br />Talos will continue to monitor Chinese hacker forums and group chats for newly-created online Chinese DDoS platforms as well as greater trends emerging in the Chinese DDoS industry.<br /><br /><h3>IOCs:</h3><br /><b>Online DDoS Websites</b><br /><b><br /></b>www[.]794ddos[.]cn<br />www[.]dk.ps88[.]org<br />www[.]tmddos[.]top<br />www[.]wm-ddos[.]win<br />www[.]tc4[.]pw<br />www[.]hkddos[.]cn<br />www[.]ppddos[.]club<br />www[.]lnddos[.]cn<br />www[.]711ddos[.]cn<br />www[.]830ddos[.]top<br />www[.]bbddos[.]com<br />www[.]941ddos[.]club<br />www[.]123ddos[.]net<br />www[.]the-dos[.]com<br />www[.]etddos[.]cn<br />www[.]jtddos[.]me<br />www[.]ccddos[.]ml<br />www[.]87ddos[.]cc<br />www[.]ddos[.]cx<br />www[.]hackdd[.]cn<br />www[.]shashenddos[.]club<br />www[.]minddos[.]club<br />www[.]caihongtangddos[.]cn<br />www[.]zfxcb[.]top<br />www[.]91moyu[.]top<br />www[.]xcbzy[.]club<br />www[.]this-ddos[.]cn<br />www[.]aaajb[.]top<br />www[.]ddos[.]qv5[.]pw<br />www[.]tdddos[.]com<br />www[.]ddos[.]blue<br /><br /><b>IPs</b><br /><br />104[.]18.54.93<br />104[.]18.40.150<br />115[.]159.30.202<br />104[.]27.161.160<br />104[.]27.174.49<br />104[.]27.128.111<br />144[.]217.162.94<br />104[.]27.130.205<br />103[.]255.237.138<br />45[.]76.202.77<br />104[.]27.177.67<br />104[.]31.86.177<br />103[.]42.212.68<br />142[.]4.210.15<br />104[.]18.33.110<br />104[.]27.154.16<br />104[.]27.137.58<br />23[.]230.235.62<br />104[.]18.42.18<br />162[.]251.93.27<br />104[.]18.62.202<br />104[.]24.117.44<br />104[.]28.4.180<br />104[.]31.76.30</div></div><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=0YCQ48EmU0Q:yribwaDZ3Ng:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/0YCQ48EmU0Q\" height=\"1\" width=\"1\" alt=\"\"/>", "reporter": "noreply@blogger.com (William Largent)", "published": "2017-08-15T10:14:00", "type": "talosblog", "title": "Booters with Chinese Characteristics: The Rise of Chinese Online DDoS Platforms", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-08-15T17:14:41", "id": "TALOSBLOG:D0B6B772794FCBE7CDD2634E264BD929", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/0YCQ48EmU0Q/chinese-online-ddos-platforms.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2017-08-15T10:08:37", "references": [], "description": "![](https://securelist.com/files/2016/11/quarter_threat.jpeg)\n\n### Targeted attacks and malware campaigns\n\n#### Back to the future: looking for a link between old and new APTs\n\nThis year's [Security Analyst Summit](<https://blog.kaspersky.com/tag/sas/?_ga=2.187171304.1160234959.1499343837-897083397.1499343837>) (SAS) included interesting research findings on several targeted attack campaigns. For example, researchers from Kaspersky Lab and King's College London presented their findings on a possible link between [Moonlight Maze](<https://securelist.com/penquins-moonlit-maze/77883/>), a 20 year old cyber-espionage attack that targeted the Pentagon, NASA and others, and Turla \u2013 a very modern APT group.\n\nContemporary reports on Moonlight Maze show how, starting from 1996, US military and government networks, as well as universities, research institutions and even the Department of Energy, began detecting breaches in their systems. The FBI and the Department of Defense launched a massive investigation in 1998. However, although the story became public the following year, much of the evidence has remained classified, leaving the details of Moonlight Maze shrouded in myth and secrecy. Nevertheless, over the years several investigators have stated that Moonlight Maze evolved into Turla.\n\n[![](https://securelist.com/files/2017/08/KL-Moonlight-Maze-mapping.png)](<https://securelist.com/files/2017/08/KL-Moonlight-Maze-mapping.png>)\n\nIn 2016, while researching his book _Rise of the Machines_, Thomas Rid of Kings College London tracked down a former system administrator whose organisation's server had been hijacked as a [proxy](<https://securelist.com/threats/proxy-server-glossary/?utm_source=securelist&utm_medium=blog>) by the Moonlight Maze attackers. This server, 'HRTest', had been used to launch attacks on the US. The now-retired IT professional had kept the original server and copies of everything relating to the attacks, and handed it to Kings College and Kaspersky Lab for further analysis. Kaspersky Lab researchers, Juan Andres Guerrero-Saade and Costin Raiu, together with Thomas Rid and Danny Moore from Kings College, spent nine months undertaking a detailed technical analysis of these samples. They reconstructed the attackers' operations, tools, and techniques, and conducted a parallel investigation to see if they could prove the claimed connection with Turla.\n\nMoonlight Maze was an open-source Unix-based attack targeting Solaris systems, and the findings show that it made use of a backdoor based on LOKI2 (a program released in 1996 that enables users to extract data via covert channels). This led the researchers to take a second look at some rare Linux samples used by Turla that Kaspersky Lab had discovered in 2014. These samples, named Penguin Turla, are also based on LOKI2. Further, the re-analysis showed that all of them use code created between 1999 and 2004.\n\nRemarkably, we're still seeing attacks that use this code. It was seen in the wild in 2011 in an attack on defence contractor Ruag in Switzerland that has been attributed to Turla. Then, in March 2017, Kaspersky Lab researchers discovered a new sample of the Penguin Turla backdoor submitted from a system in Germany. It is possible that Turla uses the old code for attacks on highly secure victims that might be harder to breach using its more standard Windows toolset.\n\nThe newly unearthed Moonlight Maze samples reveal many fascinating details about how the attacks were conducted using a complex network of proxies, and the high level of skills and tools used by the attackers.\n\nSo did Moonlight Maze evolve into Turla? It is not possible to say at this time. The next step would focus on a little known operation called 'Storm Cloud: the evolved toolkit used by the Moonlight Maze operators once the initial intrusions became public in 1999. The story of Storm Cloud leaked out in 2003 with little fanfare. However, a few prescient details led us to believe that this intrusion set might give a more definitive answer.\n\nYou can find details of the research [here](<https://securelist.com/penquins-moonlit-maze/77883/>).\n\n#### Lazarus uncovered\n\nIn February 2016 a group of hackers (unidentified at that time) attempted to steal $851 million \u2013 and succeeded in transferring $81 million from the Central Bank of Bangladesh \u2013 in what is considered to be the largest and most successful cyber-heist ever. Research by Kaspersky Lab and others revealed that the attacks were almost certainly conducted by Lazarus, a notorious cyber-espionage and sabotage group \u2013 responsible for [the attack on Sony Pictures](<https://securelist.com/blog/research/67985/destover/>) in 2014, as well attacks on manufacturing companies, media and financial institutions in at least 18 countries around the world since 2009.\n\nBased on our investigations into attacks by the group on financial institutions in South East Asia and Europe, we have been able to provide an insight into the modus operandi of the Lazarus group.\n\nTypically, the initial compromise occurs when a single system within a bank is breached, either by compromising a corporate server or by means of a watering-hole attack \u2013 that is, by placing exploit code on a legitimate web site visited by staff at the target institution. Then the attackers move to other hosts within the organisation and plant a rudimentary backdoor on infected computers. The group then spends time (days or even weeks) identifying valuable resources within the organisation. Finally the attackers deploy special malware designed to bypass internal security features and issue rogue banking transactions.\n\n[![](https://securelist.com/files/2017/08/lazarus_eng_1.png)](<https://securelist.com/files/2017/08/lazarus_eng_1.png>)\n\nThe Lazarus group operates across the globe: we have found infiltration tools used by Lazarus in multiple countries in the last year or so.\n\n[![](https://securelist.com/files/2017/08/Lazarus_Map_2.png)](<https://securelist.com/files/2017/08/Lazarus_Map_2.png>)\n\nThe Lazarus group is very large and has historically focused mainly on cyber-espionage and cyber-sabotage activities. The group's interest in financial gain is relatively new and it seems as though a different team within Lazarus is responsible for the generation of illegal profits: we have dubbed this team Bluenoroff. So far, we have seen four main types of target: financial institutions, casinos, companies developing financial trade software and those in the crypto-currency business.\n\nOne of the most notable Bluenoroff campaigns was its attacks on financial institutions in Poland. The attackers were able to compromise a government web site that is frequently accessed by many financial institutions \u2013 making it a particularly powerful attack vector.\n\nThe Lazarus group goes to great lengths to cover its tracks. However, one of our research partners made an interesting discovery when completing a forensic analysis of a Command-and-Control (C2) server in Europe that was used by the group. Based on the forensic analysis report, it was apparent that the attacker connected to the server via Terminal Services and manually installed an Apache Tomcat server using a local browser, configured it with Java Server Pages and uploaded the JSP script for the C2. Once the server was ready, the attacker started testing it, first with a browser, then by running test instances of their backdoor. The operator used multiple IPs \u2013 from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea. The operator also installed off-the-shelf crypto-currency mining software that should generate Monero crypto-coins: this software consumed system resources so intensely that the system became unresponsive and froze. This could be the reason why it was not properly cleaned, and the server logs were preserved. Of course, while the link to North Korea is interesting, this doesn't mean we can conclude that North Korea is behind all the Bluenoroff attacks: someone in North Korea could have accidentally visited the C2 server, or it could be a deliberate false flag operation.\n\nLazarus is not just another [APT](<https://securelist.com/threats/apt-advanced-persistent-threats-glossary/?utm_source=securelist&utm_medium=blog>) group. The scale of the Lazarus group's operations is shocking: it appears that Lazarus operates a malware factory, generating new tools as old ones are 'burned'. The group uses various code obfuscation techniques, re-writes its own algorithms, applies commercial software protectors, and uses its own and underground packers. Typically, the group pushes rudimentary backdoors during the first stage of infection \u2013 'burning' these doesn't affect the group too much. However, if the first stage backdoor reports an interesting infection they start deploying more advanced code, carefully protecting it from accidental detection on disk: the code is wrapped into a DLL loader or stored in an encrypted container, or maybe hidden in a binary encrypted registry value. This usually comes with an installer that only the attackers can use, because they password protect it. This guarantees that automated systems \u2013 be it a public sandbox or a researcher's environment \u2013 will never see the real payload. This level of sophistication is something that is not generally found in the cybercriminal world and requires strict organisation and control at all stages of operation. It also explains Lazarus branching out into operations to general illegal profits \u2013 operations of this kind require lots of money.\n\nThe best defence against targeted attacks is a multi-layered approach that combines traditional anti-malware technologies with patch management, host intrusion detection and a default-deny whitelisting strategy. According to a study by the Australian Signals Directorate, [85 per cent of targeted attacks analysed can be stopped by employing four simple mitigation strategies](<https://securelist.com/blog/software/69887/how-to-mitigate-85-of-threats-with-only-four-strategies/>): application whitelisting, updating applications, updating operating systems and restricting administrative privileges.\n\nYou can find our report on the activities of the Lazarus group [here](<https://securelist.com/lazarus-under-the-hood/77908/>).\n\n#### Beating the bank\n\nAt this year's [Security Analyst Summit](<https://sas.kaspersky.com/>) two of our researchers, Sergey Golovanov and Igor Soumenkov, discussed three cases where cybercriminals had stolen money from ATMs.\n\nThe first, [ATMitch](<https://securelist.com/atmitch-remote-administration-of-atms/77918/>), involved compromising the bank's infrastructure in order to controlling the operation of the ATM remotely. The attackers exploited an unpatched vulnerability to penetrate the target bank's servers. They used open source code and publicly available tools to infect computers in the bank. However, the malware they created resided in memory only, not on the hard drives, and almost all traces of the malware were removed when the computer was re-booted. Following the infection, the attackers established a connection to their C2 server, allowing them to remotely install malware on the ATMs. Since this looked like a legitimate update, it didn't trigger any alerts at the bank. Once installed, the malware looked for the file 'command.txt' \u2013 this contains the single-character commands that control the ATM. The malware first issues a command to find out how much money is in the ATM, then issues a further command to dispense money \u2013 collected by a money mule waiting at the ATM. After this, the malware writes all the information about the operation into the log file and wipes 'command.txt' clean.\n\n[![](https://securelist.com/files/2017/08/C8g2QpdXsAAc2P6.jpg)](<https://securelist.com/files/2017/08/C8g2QpdXsAAc2P6.jpg>)\n\nWhat alerted bank staff to the malware was a single file called 'kl.txt'. Thinking that this might have something to do with Kaspersky Lab, the bank called us and asked us to investigate. We created a [YARA](<https://en.wikipedia.org/wiki/YARA>) rule to search our systems for this file and discovered that we had been seen it twice \u2013 once in Russia and once in Kazakhstan. This enabled us to reverse engineer the malware and understand how the attack works.\n\nOne of the other bank attacks also started with a request from the bank. Money was missing, but the ATM logs were clear and the criminals had taped over the CCTV camera, so that there was no recording of the attack. The bank delivered the ATM to our office and, after disassembling it, we discovered that there was a Bluetooth adaptor connected to the ATM's USB hub. The criminals had installed a Bluetooth adaptor on the ATM and had waited three months for the log to clear. Then they returned to the ATM, covered the security cameras and used a Bluetooth keyboard to re-boot the ATM in service mode and emptied the dispenser.\n\nAnother attack, which, like those mentioned above, started with a bank asking us to investigate an ATM theft, turned out to be much cruder in its approach. We found a hole, approximately 4cm in diameter, drilled near the PIN pad. Not long after, we learned of similar attacks in Russia and Europe. When police caught a suspect with a laptop and some wiring, things became clearer. We disassembled the ATM to try to find out what the attacker could be trying to access from the hole. What we found was a 10-PIN header, connected to a bus that connects all of the ATMs components and weak encryption that could be broken very quickly. Any single part of the ATM could be used to control all the others; and since there was no authentication between the parts, any one of them could be replaced without the others realising. It cost us around $15 and some time to create a simple circuit board that could control the ATM once we connected it to the serial bus, including dispensing money.\n\nFixing the problem, as our researchers highlighted, isn't straightforward. Patching requires a hardware update and can't be done remotely: a technician must visit all the affected ATMs to install it.\n\nYou can read more about these incidents [here](<https://blog.kaspersky.com/sas-2017-atm-malware/14509/>).\n\n#### Meet the Lamberts\n\nIn April, we published a report on an advanced threat actor that can be compared with Duqu, Equation, Regin or ProjectSauron in terms of its complexity. This group, which we call 'The Lamberts' (but which is also known as 'Longhorn') first came to the attention of the security community in 2014, when [researchers from FireEye discovered an attack using a zero-day vulnerability (CVE-2014-4148)](<https://www.fireeye.com/blog/threat-research/2014/10/two-targeted-attacks-two-new-zero-days.html>). This attack used malware that we call 'Black Lambert' to target a high profile organisation in Europe.\n\nThe group has developed and used sophisticated attack tools \u2013 including network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers \u2013 against its victims since at least 2008. The latest samples were created in 2016. There are currently known versions for Windows and OS X. However, given the complexity of these projects and the existence of an implant for OS X, we think that it is highly possible that other Lamberts exist for other platforms, such as Linux.\n\nWhite Lambert runs in kernel mode and intercepts network traffic on infected machines. It decrypts packets crafted in a special format to extract instructions. We named these passive backdoors 'White Lambert' to contrast with the active 'Black Lambert' implants.\n\nWe subsequently came by another generation of malware that we called 'Blue Lambert'.\n\nOne of these samples is interesting because it appears to have been used as second stage malware in a high profile attack that involved the Black Lambert malware.\n\nThe family of samples called 'Green Lambert' is a lighter, more reliable, but older version of Blue Lambert. Interestingly, while most Blue Lambert variants have version numbers in the range of 2.x, Green Lambert mostly includes 3.x versions. This stands in contrast to the data gathered from export timestamps and C2 domain activity that points to Green Lambert being considerably older than Blue Lambert. Perhaps both Blue and Green versions were developed in parallel by two different teams working under the same umbrella, as normal software version iterations, with one being deployed earlier than the other.\n\nSignatures created for Green Lambert (Windows) have also triggered on an OS X variant of Green Lambert, with a very low version number: 1.2.0. This was uploaded to a multi-scanner service in September 2014. The OS X variant of Green Lambert is in many regards functionally identical to the Windows version, but it's missing certain functionality \u2013 such as running plugins directly in memory.\n\nKaspersky Lab detections for Blue, Black, and Green Lamberts have been triggered by a relatively small set of victims from around the world. While investigating one of these infections involving White Lambert (network-driven implant) and Blue Lambert (active implant), we found yet another family of tools that appear to be related. We called this new family 'Pink Lambert'.\n\nThe Pink Lambert toolset includes a beaconing implant, a USB-harvesting module and a multi-platform orchestrator framework that can be used to create OS-independent malware. Versions of this particular orchestrator were found on other victims, together with White Lambert samples, indicating a close relationship between the White and Pink Lambert families.\n\nBy looking further for other undetected malware on victims of White Lambert, we found yet another, apparently related, family. The new family, which we called 'Gray Lambert', is the latest iteration of passive network tools from the Lamberts' arsenal. The coding style of Gray Lambert is similar to the Pink Lambert USB-harvesting module. However, the functionality mirrors that of White Lambert. Compared to White Lambert, Gray Lambert runs in user mode, without the need for exploiting a vulnerable signed driver to load arbitrary code on 64-bit Windows systems.\n\nConnecting all these different families by shared code, data formats, C2 server, and victims, we have arrived at the following overarching picture:\n\n[![](https://securelist.com/files/2017/08/Lamberts_chart.png)](<https://securelist.com/files/2017/08/Lamberts_chart.png>)\n\nDevelopment of The Lamberts toolkit spans several years, with most activity occurring in 2013 and 2014.\n\n[![](https://securelist.com/files/2017/08/Lamberts.png)](<https://securelist.com/files/2017/08/Lamberts.png>)\n\nOverall, the toolkit includes highly sophisticated malware that relies on high-level techniques to sniff network traffic, run plugins in memory without touching the disk and making use of exploits against signed drivers to run unsigned code on 64-bit Windows systems.\n\nTo further exemplify the proficiency of the attackers behind The Lamberts' toolkit, deployment of Black Lambert included a rather sophisticated TTF zero-day exploit, CVE-2014-4148. Taking this into account, we classify The Lamberts as the same level of complexity as Duqu, Equation, Regin or ProjectSauron \u2013 that is, one of the most sophisticated cyber-espionage toolkits we have ever analysed.\n\nIn the vast majority of cases, the infection method is unknown, so there are still a lot of unknown details about these attacks and the group(s) using them.\n\nYou can read more about The Lamberts [here](<https://securelist.com/unraveling-the-lamberts-toolkit/77990/>).\n\nThe only effective way to withstand such threats is to deploy multiple layers of security, with sensors to monitor for even the slightest anomaly in organisational workflow, combined with threat intelligence and forensic analysis.\n\nWe will continue to monitor the activities of The Lamberts, as well as other targeted attack groups. By [subscribing to our APT intelligence reports](<https://www.kaspersky.co.uk/enterprise-security/apt-intelligence-reporting>), you can get access to our investigations and discoveries as they happen, including comprehensive technical data.\n\n### Malware stories\n\n#### More vulnerable Internet of Things things\n\nHackers are targeting devices that make up the Internet of Things (IoT) more and more. One of the most dramatic examples is the Mirai botnet, which [took down a portion of the Internet](<https://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-attacks-on-dns-providers/121475/>) in October 2016 by hijacking connected home devices (such as DVRs, CCTV cameras and printers).\n\nIn our [predictions for 2017](<https://securelist.com/analysis/kaspersky-security-bulletin/76660/kaspersky-security-bulletin-predictions-for-2017/>) we suggested that vigilante hackers might also target IoT devices, to draw attention to the woeful lack of security in some connected devices \u2013 perhaps even going so far as to create an 'Internet of bricks'. In addition, there have been recent reports ([here](<https://arstechnica.com/security/2017/04/rash-of-in-the-wild-attacks-permanently-destroys-poorly-secured-iot-devices/>) and [here](<https://arstechnica.com/security/2017/04/brickerbot-the-permanent-denial-of-service-botnet-is-back-with-a-vengeance/>)) of IoT malware designed to just that.\n\nIn April, we published an analysis of the [Hajime botnet](<https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/>). This malware, first reported in October 2016 by Rapidity Networks, infects insecure IoT devices with open Telnet ports and default passwords. Hajime is a huge peer-to-peer botnet which, at the time of our report (25 April) comprised around 300,000 devices. The malware is continually evolving, adding and removing functionality. The most intriguing aspect of Hajime is its purpose. The botnet is growing, partly due to new exploitation modules, but its purpose remains unknown. So far, it hasn't been used for malicious activity. It's possible that this will never happen, because every time a new configuration file is downloaded, a piece of text is displayed while the new configuration is being processed:\n\n[![](https://securelist.com/files/2017/08/hajime_eng_4.png)](<https://securelist.com/files/2017/08/hajime_eng_4.png>)\n\nOn the other hand, even if it's not used for deliberate harm, it's possible that it might adversely affect the normal operation of an infected device.\n\nHajime, like other malware designed to compromised IoT devices, exploits the fact that many people don't change the manufacturer's default credentials when they buy a smart device. This makes it easy for attackers to access the device \u2013 they simply have to try the known default password. In addition, there are no firmware updates for many devices. IoT devices are also an attractive target for cybercriminals because they often have 24/7 connectivity.\n\nThese days we're surrounded by smart devices. This includes everyday household objects such as telephones, televisions, thermostats, refrigerators, baby monitors, fitness bracelets and even children's toys. However, it also includes cars, medical devices, CCTV cameras and parking meters. Now we can add drones to the list.\n\nAt the [Security Analyst Summit](<https://blog.kaspersky.com/tag/sas/?_ga=2.187171304.1160234959.1499343837-897083397.1499343837>), security expert Jonathan Andersson showed how a skilled attacker could [create a device to hijack a drone in seconds](<https://www.kaspersky.co.uk/blog/drone-gone-in-11-ms/8654/>). He used a [software-defined radio](<https://en.wikipedia.org/wiki/Software-defined_radio>) (SDR), a drone's control unit, a microcomputer and some other electronic equipment to create such a device, which he called 'Icarus'. He used the device to tune to the frequency a drone uses to communicate with its controller and then experimented until he learned how exactly the signals were transmitted between the devices.\n\nAndersson explained that this threat can potentially influence the whole drone industry \u2014 from cheap toys to expensive, professional craft \u2014 because drones and controller units use data transfer protocols that are vulnerable to the same type of attack. While stronger encryption could fix the problem, it's not that easy because many controllers do not support software updates. Strong encryption also requires substantial computation capacity, which leads to additional energy consumption by the controller _and_ the drone.\n\nHacking drones might seem a bit far-fetched, but the use of drones is no longer just a niche activity. Last December, [Amazon tested the use of drones to deliver parcels](<https://www.usatoday.com/story/tech/news/2016/12/14/amazon-delivered-its-first-customer-package-drone/95401366/>).\n\nYou can find our overview of the growing threat to IoT devices, plus advice on protecting yourself from IoT malware [here](<https://securelist.com/honeypots-and-the-internet-of-things/78751/>).\n\n#### From extortion to ExPetr\n\nThe threat from ransomware continues to grow. Between April 2016 and March 2017, we blocked ransomware on the computers of 2,581,026 Kaspersky Lab customers. This is an increase of 11.4 per cent on the previous 12 months. You can read our full report on ransomware developments in 2016-17 [here](<https://securelist.com/ksn-report-ransomware-in-2016-2017/78824/>), but here are some of the key trends.\n\n * The extortion model is here to say and we're seeing growing competition between ransomware gangs. They're also targeting countries that had previously been unaffected \u2013 where people are less well-prepared to deal with the threat.\n * We're seeing increasingly targeted ransomware attacks \u2013 quite simply because attacks on businesses are more profitable.\n * Ransomware is growing in sophistication and diversity, offering many ready-to-go solutions to those with fewer skills, resources or time \u2013 through a growing and increasingly efficient underground eco-system.\n * The establishment of a criminal-to-criminal infrastructure that is fuelling the development of easy-to-go, ad hoc tools to perform targeted attacks and extort money, making attacks more dispersed.\n * Global initiatives to protect people from crypto-ransomware, such as [No More Ransom](<https://www.nomoreransom.org/>), will continue to gain momentum.\n\nIn May, we saw the biggest ransomware epidemic in history, called WannaCry. The largest number of attacks occurred in Russia, but there were also victims in Ukraine, India, Taiwan and many other countries \u2013 in total, 74 countries were affected. The malware spread very quickly \u2013 in just one day we saw more than 45,000 infections (Europol later estimated that upwards of 200,000 people had fallen victim to WannaCry).\n\n[![](https://securelist.com/files/2017/08/wannacry_03.png)](<https://securelist.com/files/2017/08/wannacry_03.png>)\n\nWannaCry spread by taking advantage of a Windows exploit named 'EternalBlue' that relies on a vulnerability that Microsoft had patched in security update MS17-010. The Microsoft update had been released on 14 March, one month before EternalBlue exploit was made available in the 'Shadow Brokers' dump. However, many organisations hadn't patched their systems, allowing the attackers to gain remote access to corporate systems. It then spread to other un-patched computers on the network.\n\nLike other cryptors, WannaCry encrypts files on an infected computer and demands a ransom to decrypt them.\n\n[![](https://securelist.com/files/2017/08/wannacry_05.png)](<https://securelist.com/files/2017/08/wannacry_05.png>)\n\nThe attackers initially demanded $300, but this increased top $600 as the outbreak unfolded.\n\nTo ensure that the victims didn't miss the warning, the malware changed the wallpaper and included instructions on how to locate the decryptor tool dropped by the malware.\n\n[![](https://securelist.com/files/2017/08/wannacry_07.png)](<https://securelist.com/files/2017/08/wannacry_07.png>)\n\nIt's clear from our research that the quality of the WannaCry code is poor and the developers made many mistakes, enabling many of those infected to [recover encrypted data](<https://securelist.com/wannacry-mistakes-that-can-help-you-restore-files-after-infection/78609/>). The [way the attackers handled ransom payments limited their ability to capitalise on the spread of the worm](<https://www.wired.com/2017/05/wannacry-ransomware-hackers-made-real-amateur-mistakes/>). Multiple attempts were made to track transactions to the bitcoin wallets used by the attackers. Although estimates of how much money the attackers made vary, they run into tens of thousands, rather than hundreds\n\nThe timeline for attacks in the first week shows the impact of cyber-security efforts in combating the threat.\n\n[![](https://securelist.com/files/2017/08/wannacry_02.png)](<https://securelist.com/files/2017/08/wannacry_02.png>)\n\nNot least among them was the discovery of a kill-switch. There's a special check at the start of the code. It tries to connect to a hard-coded web site: if the connection fails the attack continues, if the connection is made, the code exits. By registering this domain and pointing it to a [sinkhole](<https://securelist.com/threats/sinkhole-glossary/?utm_source=securelist&utm_medium=blog>) server, [a UK researcher was able to slow the infection of the worm](<https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack>).\n\nA few days into the outbreak, Neel Mehta, a researcher at Google, posted a [mysterious tweet using the #WannaCryptAttribution hashtag](<https://twitter.com/neelmehta/status/864164081116225536>) referring to a similarity between two code samples. One was a WannaCry sample from February 2017 that looked like an early variant of the worm. The other was a Lazarus sample from February 2017. Kaspersky Lab and others confirmed the similarity. It's too early to say for sure if WannaCry was the work of the Lazarus group \u2013 more research is required to see if the dots join up.\n\nYou can find our original blog post [here](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>), our FAQ [here](<https://securelist.com/wannacry-faq-what-you-need-to-know-today/78411/>) and our comparison of the WannaCry and Lazarus samples [here](<https://securelist.com/wannacry-and-lazarus-group-the-missing-link/78431/>).\n\nTowards the end of June, we saw reports of a new wave of ransomware attacks. The malware, which we called [ExPetr](<https://securelist.com/schroedingers-petya/78870/>) (but known variously as Petya, Petrwrap and NotPetya) primarily targeted businesses in Ukraine, Russia and Europe \u2013 around 2,000 in total.\n\n[![](https://securelist.com/files/2017/08/schroedinger_petya_02.png)](<https://securelist.com/files/2017/08/schroedinger_petya_02.png>)\n\nExPetr uses a modified version of the EternalBlue exploit, as well as another exploit made public by the Shadow Brokers, called 'EternalRomance'. The malware spread as an update to MeDoc \u2013 a Ukrainian accounting application \u2013 and through watering-hole attacks. Once inside the target organisation, the ransomware uses custom tools to extract credentials from the 'lsass.exe' process and passes them to [PsExec](<https://technet.microsoft.com/en-us/library/gg697102.aspx>) or [WMIC](<https://en.wikipedia.org/wiki/Windows_Management_Instrumentation>) tools for further distribution within the network.\n\nThe malware waits for 10 minutes to an hour before re-booting the computer and then encrypts the [MFT](<https://en.wikipedia.org/wiki/NTFS#Master_File_Table>) in NTFS partitions, overwriting the [MBR](<https://en.wikipedia.org/wiki/Master_boot_record>) with a customised loader containing a ransom demand.\n\n[![](https://securelist.com/files/2017/08/schroedinger_petya_01.png)](<https://securelist.com/files/2017/08/schroedinger_petya_01.png>)\n\nExPetr encrypts files as well as encrypting the MFT. The attackers demanded $300 in Bitcoins for the key to decrypt ransomed data, payable to a unified Bitcoin account. In principle \u2013 and unlike WannaCry \u2013 this technique could have worked because the attackers asked the victims to send their wallet numbers by e-mail to 'wowsmith123456@posteo.net', thus confirming the transactions. However, this e-mail account was quickly shut down, limiting the scope of the attackers to make money.\n\nFollowing further analysis of the encryption routine, we concluded, as did some other researchers, that [it isn't possible for the attackers to decrypt the victims' disks, even if payment is made](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>). This suggests that ExPetr was a wiper masquerading as ransomware. There is even a suggestion that there might be a [connection between ExPetr and the BlackEnergy KillDisk ransomware](<https://securelist.com/from-blackenergy-to-expetr/78937/>) from 2015 and 2016.\n\nExPetr wasn't the only ransomware that was distributed via MeDoc updates on 27 June 27. Another ransomware program, which we called [FakeCry](<https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/>), was distributed to MeDoc customers at the same time. Our data indicate that 90 organisations received this malware, nearly all of them in Ukraine.\n\nWhile the interface and messages closely resemble WannaCry, it is an entirely different malware family. We believe that FakeCry was designed with false flags in mind. One of the most interesting questions is whether FakeCry and ExPetr are related \u2013 as is suggested by the fact that both were distributed at the same time through MeDoc updates.\n\nHere are our recommendations on how to protect against ransomware attacks.\n\n * Run a robust anti-malware suite with embedded anti-ransomware protection (such as Kaspersky Lab's System Watcher).\n * Apply security updates for your operating system and applications as soon as they become available.\n * Do not open attachments, or click on links, from untrusted sources.\n * Backup sensitive data to external storage and keep it offline.\n * Never pay the ransom. Not only does this fuel the next wave of ransomware attacks, but also there is no guarantee that the criminals will restore your data.", "reporter": "David Emm", "published": "2017-08-15T09:00:37", "type": "securelist", "title": "IT threat evolution Q2 2017", "enchantments": {}, "bulletinFamily": "blog", "cvelist": ["CVE-2014-4148"], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-08-15T09:00:37", "id": "SECURELIST:67FBA208E82CFC857217958E65365F6D", "href": "https://securelist.com/it-threat-evolution-q2-2017/79354/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-17T12:15:14", "references": [], "description": "![](https://securelist.com/files/2016/11/quarter_threat.jpeg)\n\n## Q2 figures\n\nAccording to KSN data, Kaspersky Lab solutions detected and repelled 342, 566, 061 malicious attacks from online resources located in 191 countries all over the world.\n\n33, 006, 783 unique URLs were recognized as malicious by web antivirus components.\n\nAttempted infections by malware that aims to steal money via online access to bank accounts were registered on 224, 675 user computers.\n\nCrypto ransomware attacks were blocked on 246, 675 computers of unique users.\n\nKaspersky Lab's file antivirus detected a total of 185, 801, 835 unique malicious and potentially unwanted objects.\n\nKaspersky Lab mobile security products detected:\n\n * 1, 319, 148 malicious installation packages;\n * 28, 976 mobile banker Trojans (installation packages);\n * 200, 054 mobile ransomware Trojans (installation packages).\n\n## Mobile threats\n\n### Q2 events\n\n#### SMS spam\n\nAs [we wrote](<https://securelist.com/it-threat-evolution-q1-2017-statistics/78475/>) in the previous quarter, fraudsters had begun to actively use the Trojan-Banker.AndroidOS.Asacub mobile [banker](<https://securelist.com/threats/banker-trojan-banker-glossary/?utm_source=securelist&utm_medium=blog>), distributing it via SMS spam. At the end of Q2, we detected a much larger campaign to spread it: in June, there were three times as many attacked users as in April, and judging by the first week of July, this growth continues.\n\n[![](https://securelist.com/files/2017/08/Users_Attacked_by_TrojanBanker_Q2_2017_EN.jpg)](<https://securelist.com/files/2017/08/Users_Attacked_by_TrojanBanker_Q2_2017_EN.jpg>)\n\nThe number of unique users attacked by Trojan-Banker.AndroidOS.Asacub in Q2 2017\n\n#### Revamped ZTorg\n\nYet another interesting theme discussed in our report for the first quarter of 2017 remained relevant in Q2: the attackers continued to upload to Google Play new applications with the malicious Ztorg module. Interestingly, in the second quarter, we registered the cases of uploading additional Ztrog modules, not just the main ones. For example, we found the Trojan that could install and even buy apps on Google Play. We also discovered [Trojan-SMS.AndroidOS.Ztorg.a](<https://securelist.com/ztorg-from-rooting-to-sms/78775/>), which could send paid SMS.\n\nOf note is the fact that unlike the main Ztrog module, neither of the two malware samples attempted to exploit system [vulnerabilities](<https://securelist.com/threats/vulnerability-glossary/?utm_source=securelist&utm_medium=blog>) to obtain root privileges. [To recap, Trojan.AndroidOS.Ztorg](<https://securelist.com/ztorg-money-for-infecting-your-smartphone/78325/>) tries to get root privileges to display ads and secretly install new applications, including additional modules mentioned above.\n\n#### Meet the new Trojan - Dvmap\n\nIn April 2017 we [discovered a new rooting malware](<https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/>) distributed via the official Google Play Store \u2014 Trojan.AndroidOS.Dvmap.a. Dvmap is very special rooting malware: it modifies system libraries. The Trojan exploits system vulnerabilities to obtain root privileges, and then injects its malicious code into the system library.\n\n#### WAP billing subscriptions\n\nIn the second quarter of 2017, we registered an increase in the activity of Trojans designed to steal user money utilizing the mechanism of [paid subscriptions](<https://en.wikipedia.org/wiki/WAP_billing>) (two years ago we wrote about [similar attacks](<https://securelist.com/sms-trojan-bypasses-captcha/69169/>)). To recap, the services of paid subscriptions are special sites that allow users to pay for services by deducting a certain amount of money from their phone accounts. Before getting the service, the client is redirected to the site of the cellular service provider, where he is asked to confirm his operation. The provider may also use SMS to confirm the payment. The Trojans have learned to bypass these restrictions: without user's awareness they click on forms of confirmation, using special JS files. In addition, the Trojans can hide messages from the cellular service provider from the user.\n\nWe have discovered that in some cases after the infection, Trojan Ztorg can install additional modules with this functionality. Meanwhile the Trojan-Clicker.AndroidOS.Xafekopy family is capable of attacking such services in India and Russia, using JS files similar to those used by Ztrog.\n\nTwo malware samples from our Top 20 Trojan programs most popular in Q2 2017 were also attacking WAP subscriptions. They are Trojan-Clicker.AndroidOS.Autosus.a and Trojan-Dropper.AndroidOS.Agent.hb. Moreover, the most popular Trojans of the quarter detected by our machine learning-based system were also malicious programs utilizing mobile subscriptions.\n\n### Mobile threat statistics\n\nIn the second quarter of 2017, Kaspersky Lab detected 1,319, 148 malicious installation packages, which is almost as many as in two previous quarters.\n\n[![](https://securelist.com/files/2017/08/Number_of_detected_distr_.png)](<https://securelist.com/files/2017/08/Number_of_detected_distr_.png>)\n\nNumber of detected malicious installation packages (Q3 2016 \u2013 Q2 2017)\n\n#### Distribution of mobile malware by type\n\n[![](https://securelist.com/files/2017/08/Types_of_new_detected_mob_EN.jpg)](<https://securelist.com/files/2017/08/Types_of_new_detected_mob_EN.jpg>)\n\nDistribution of new mobile malware by type (Q1 and Q2 2017)\n\nIn Q2 2017, the biggest growth was demonstrated by Adware (13.31%) \u2013 its share increased by 5.99% p.p. The majority of all discovered installation packages are detected as AdWare.AndroidOS.Ewind.iz and AdWare.AndroidOS.Agent.n.\n\nTrojan-SMS malware (6.83%) ranked second in terms of the growth rate: its contribution increased by 2.15 percentage points. Most of detected installation packages belonged to the Trojan-SMS.AndroidOS.Opfake.bo and Trojan-SMS.AndroidOS.FakeInst.a families, which percentage grew more than three-fold from the previous quarter.\n\nThe biggest decline was demonstrated by Trojan-Spy (3.88%). To recap, the growth rate of this type of malware were one of the highest in Q1 2017. This was caused by the increase in the number malicious programs belonging to the [Trojan-Spy.AndroidOS.SmForw](<https://threats.kaspersky.com/en/threat/Trojan-Spy.AndroidOS.SmForw>) and [Trojan-Spy.AndroidOS.SmsThief](<https://threats.kaspersky.com/en/threat/Trojan-Spy.AndroidOS.SmsThief>) families.\n\nThe contribution of Trojan-Ransom programs, which had come first in terms of the growth rate in the first quarter of 2017, dropped by 2.55 p.p. and accounted for 15.09% in Q2.\n\n### TOP 20 mobile malware programs\n\n_Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware._\n\n1 | DangerousObject.Multi.Generic | 62.27% \n---|---|--- \n2 | Trojan.AndroidOS.Boogr.gsh | 15.46% \n3 | Trojan.AndroidOS.Hiddad.an | 4.20% \n4 | Trojan-Dropper.AndroidOS.Hqwar.i | 3.59% \n5 | Backdoor.AndroidOS.Ztorg.c | 3.41% \n6 | Trojan-Dropper.AndroidOS.Agent.hb | 3.16% \n7 | Backdoor.AndroidOS.Ztorg.a | 3.09% \n8 | Trojan.AndroidOS.Sivu.c | 2.78% \n9 | Trojan-Dropper.AndroidOS.Lezok.b | 2.30% \n10 | Trojan.AndroidOS.Ztorg.ag | 2.09% \n11 | Trojan-Clicker.AndroidOS.Autosus.a | 2.08% \n12 | Trojan.AndroidOS.Hiddad.pac | 2.08% \n13 | Trojan.AndroidOS.Ztorg.aa | 1.74% \n14 | Trojan.AndroidOS.Agent.bw | 1.67% \n15 | Trojan.AndroidOS.Agent.gp | 1.54% \n16 | Trojan.AndroidOS.Hiddad.ao | 1.51% \n17 | Trojan-Banker.AndroidOS.Svpeng.q | 1.49% \n18 | Trojan.AndroidOS.Agent.ou | 1.39% \n19 | Trojan.AndroidOS.Loki.d | 1.38% \n20 | Trojan.AndroidOS.Agent.eb | 1.32% \n \n_* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab's mobile security product that were attacked._\n\nFirst place was occupied by DangerousObject.Multi.Generic (62.27%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.\n\nSecond came Trojan.AndroidOS.Boogr.gsh (15.46%). Such verdict is issued for files recognized as malicious by our system based on machine learning. The share of this verdict increased nearly threefold from the previous quarter which allowed it to move up from third to second place. In Q2 2017, this system most often detected Trojans which subscribed users to paid services as well as advertising Trojans which used superuser privileges.\n\nTrojan.AndroidOS.Hiddad.an (4.20%) was third. This piece of malware imitates different popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to combat its removal. The main purpose of Trojan.AndroidOS.Hiddad.an is aggressive display of adverts, its main \"audience\" is in Russia. In the previous quarter it occupied second position.\n\nTrojan-Dropper.AndroidOS.Hqwar.i (3.59%), the verdict used for the Trojans protected by a certain packer/obfuscator climbed from eighth to fourth position in the ranking. In most cases, this name hides the representatives of the [FakeToken](<https://threats.kaspersky.com/ru/threat/Trojan-Banker.AndroidOS.Faketoken>) and [Svpeng](<https://securelist.ru/grabitel-s-ruchny-m-upravleniem/3290/>) mobile banking families.\n\nOn fifth position was Trojan Backdoor.AndroidOS.Ztorg.c., one of the most active advertising Trojans which uses superuser rights. In the second quarter of 2017, our TOP 20 included eleven Trojans (highlighted in blue in the table) which tried to obtain or use root rights and which exploited advertising as the main means of monetization. Their goal is to deliver ads to the user more aggressively, applying (among other methods) hidden installation of new advertising programs. At the same time, superuser privileges help them \"hide\" in the system folder, thus making it very difficult to remove them. Of note is the fact that the number of such type of malware in the TOP 20 has been decreasing recently (in Q1 2017, there were fourteen Trojans of such type in the ranking).\n\nTrojan-Dropper.AndroidOS.Agent.hb (3.16%) was sixth in the ranking. It is a complex modular Trojan, which main malicious part should be downloaded from the server of cybercriminals. We can assume that this Trojan is designed to steal money through paid subscriptions.\n\nEleventh place is occupied by Trojan-Clicker.AndroidOS.Autosus.a (2.08%) which main task is the activation of paid subscriptions. To do this, it \"clicks\" on the buttons in web catalogs of subscriptions, as well as hides incoming SMS with the information about them.\n\nTrojan.AndroidOS.Agent.bw was fourteenth in the rating (1.67%). This Trojan, targeting primarily people in India (more than 92% of attacked users), just like Trojan.AndroidOS.Hiddad.an imitates popular programs and games, and once run, downloads and installs various applications from the fraudsters' server.\n\nFifteenth came Trojan.AndroidOS.Agent.gp (1.54%), which steals user money making paid calls. Due to the use of administrator rights, it counteracts attempts to remove it from an infected device.\n\nThe ranking also included Trojan-Banker.AndroidOS.Svpeng (1.49%), which was seventeenth in the Top 20. This family has been active for three quarters in a row and remains the most popular banking Trojan in Q2 of 2017.\n\n### The geography of mobile threats\n\n[![](https://securelist.com/files/2017/08/Map_Mobile_Malware_Infections_.jpg)](<https://securelist.com/files/2017/08/Map_Mobile_Malware_Infections_.jpg>)\n\nThe geography of attempted mobile malware infections in Q2 2017 (percentage of all users attacked)\n\nTOP 10 countries attacked by mobile malware (ranked by percentage of users attacked)\n\n| **Country*** | **% ****of users attacked **** \n---|---|--- \n1 | Iran | 44.78% \n2 | China | 31.49% \n3 | Bangladesh | 27.10% \n4 | Indonesia | 26.12% \n5 | Algeria | 25.22% \n6 | Nigeria | 24.81% \n7 | India | 24.53% \n8 | C\u00f4te d'Ivoire | 24.31% \n9 | Ghana | 23.20% \n10 | Kenya | 22.85% \n \n_* We eliminated countries from this rating where the number of users of Kaspersky Lab's mobile security product is relatively low (under 10,000). \n** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab's mobile security product in the country._\n\nAs in the previous quarter, in Q2 2017 Iran was the country with the highest percentage of users attacked by mobile malware \u2013 44.78%. China came second: 31.49% of users there encountered a mobile threat at least once during the quarter. It was followed by Bangladesh (27.10%).\n\nRussia (12.10%) came 26th in Q2 of 2017 (vs 40th place in the previous quarter), France (6.04%) 58th, the US (4.5%) 71st, Italy (5.7%) 62nd, Germany (4.8%) 67th, Great Britain (4.3%) 73rd.\n\nThe safest countries were Denmark (2.7%), Finland (2.6%) and Japan (1.3%).\n\n### Mobile banking Trojans\n\nOver the reporting period, we detected 28, 976 installation packages for mobile banking Trojans, which is 1.1 times less than in Q1 2017. \n\n\n[![](https://securelist.com/files/2017/08/Number_of_detected_bank_ransomware_.png)](<https://securelist.com/files/2017/08/Number_of_detected_bank_ransomware_.png>)\n\nNumber of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q3 2016 \u2013 Q2 2017)\n\nTrojan-Banker.AndroidOS.Svpeng.q remained the most popular mobile banking Trojan for several quarters in a row. [This family](<https://securelist.com/good-morning-android/75731/>) of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking.\n\nSvpeng is followed by Trojan-Banker.AndroidOS.Hqwar.jck and Trojan-Banker.AndroidOS.Asacub.af. It is worth noting that most of users attacked by these three banking Trojans were in Russia.\n\n[![](https://securelist.com/files/2017/08/Map_Mobile_Bank_malware_.jpg)](<https://securelist.com/files/2017/08/Map_Mobile_Bank_malware_.jpg>)\n\nGeography of mobile banking threats in Q2 2017 (percentage of all users attacked)\n\nTOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)\n\n| **Country******* | **% ****of users attacked******** \n---|---|--- \n1 | Russia | 1.63% \n2 | Australia | 0.81% \n3 | Turkey | 0.81% \n4 | Tajikistan | 0.44% \n5 | Uzbekistan | 0.44% \n6 | Ukraine | 0.41% \n7 | Latvia | 0.38% \n8 | Kyrgryzstan | 0.34% \n9 | Moldova | 0.34% \n10 | Kazakhstan | 0.32% \n \n_* We eliminated countries from this rating where the number of users of Kaspersky Lab's mobile security product is relatively low (under 10,000). \n** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab's mobile security product in the country._\n\nIn Q2 2017, the TOP 10 countries attacked by mobile banker Trojans remained practically unchanged: Russia (1.63%) topped the ranking again. In second place was Australia (0.81%), where the [Trojan-Banker.AndroidOS.Acecard](<https://securelist.com/the-evolution-of-acecard/73777/>) and [Trojan-Banker.AndroidOS.Marcher](<https://threats.kaspersky.com/en/threat/Trojan-Banker.AndroidOS.Marcher>) families were the most popular threats. Turkey (0.81%) rounded off the Top 3.\n\n### Mobile Ransomware\n\nIn Q2 2017, we detected 200, 054 mobile Trojan-Ransomware installation packages which is much more than in the fourth quarter of 2016.\n\n[![](https://securelist.com/files/2017/08/Number_of_detected_mob_ransomware_.png)](<https://securelist.com/files/2017/08/Number_of_detected_mob_ransomware_.png>)\n\nNumber of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q3 2016 \u2013 Q2 2017)\n\nIn the first half of 2017, we discovered more mobile ransomware installation packages than for any other period. The reason was the Trojan-Ransom.AndroidOS.Congur family. Usually, the representatives of Congur have very simple functionality \u2013 they change the system password (PIN), or install it if no password was installed earlier, thus making it impossible to use the device, and then ask that user to contact the fraudsters via the QQ messenger to unblock it. It is worth noting that there are modifications of this Trojan that can take advantage of existing superuser privileges to install their module into the system folder.\n\nTrojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in Q2, accounting for nearly 20% of users attacked by mobile ransomware, which is half as much as in the previous quarter. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device.\n\n[![](https://securelist.com/files/2017/08/Map_Mobile_Trojans_.jpg)](<https://securelist.com/files/2017/08/Map_Mobile_Trojans_.jpg>)\n\nGeography of mobile Trojan-Ransomware in Q2 2017 (percentage of all users attacked)\n\nTOP 10 counties attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)\n\n| **Country******* | **% ****of users attacked******** \n---|---|--- \n1 | USA | 1.24% \n2 | China | 0.88% \n3 | Italy | 0.57% \n4 | Belgium | 0.54% \n5 | Canada | 0.41% \n6 | Kazakhstan | 0.41% \n7 | Ireland | 0.37% \n8 | Germany | 0.34% \n9 | Norway | 0.31% \n10 | Sweden | 0.29% \n \n_* We eliminated countries from this ranking where the number of users of Kaspersky Lab's mobile security product is lower than 10,000. \n** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab's mobile security product in the country._\n\nThe US topped the ranking of ten countries attacked by mobile Trojan-Ransomware; the most popular family there was [Trojan-Ransom.AndroidOS.Svpeng](<https://securelist.com/latest-version-of-svpeng-targets-users-in-us/63746/>). These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of $100-500 from victims to unblock their devices.\n\nIn China (0.65%), which came second in Q2 2017, most of mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Congur.\n\nItaly (0.57%) came third. The main threat to users originated from Trojan-Ransom.AndroidOS.Egat.d. This Trojan is mostly spread in Europe and demands $100-200 to unblock the devilce.\n\n## Vulnerable apps exploited by cybercriminals\n\nThe second quarter of 2017, especially popular were campaigns involving in-the-wild vulnerabilities. The appearance of several 0-day vulnerabilities for Microsoft Office resulted in a significant change in the pattern of exploits used.\n\nThe logical vulnerability in processing HTA objects CVE-2017-0199, which allows an attacker to execute arbitrary code on a remote machine using a specially generated file, was detected in early April. And despite the fact that the update fixing this vulnerability was published on April 11, the number of attacked Microsoft Office users soared almost threefold, to 1.5 million. 71% of all attacks on Microsoft Office users were implemented using this vulnerability; documents with exploits for CVE-2017-0199 were very actively used in spam mailings.\n\n[![](https://securelist.com/files/2017/08/Platforms_exploits_.jpg)](<https://securelist.com/files/2017/08/Platforms_exploits_.jpg>)\n\nDistribution of exploits used in attacks by the type of application attacked, Q2 2017\n\nThis was caused by several reasons - simplicity and reliability of its exploitation on all MS Office and Windows versions and rapid appearance of document generators with the CVE-2017-0199 exploit in open access which significantly reduced the entry threshold for exploitation of this vulnerability. In comparison, two other zero-day vulnerabilities in MS Office related to memory corruption vulnerability due to incorrect processing of EPS files - CVE-2017-0261 and CVE-2017-0262 - accounted for only 5%.\n\nHowever, the main event of Q2 was publication by the Shadow Brokers hacker group of the archive with utilities and exploits, supposedly developed by the US special services. The Lost In Translation archive contained a large number of network exploits for various Windows versions. And even though most of those vulnerabilities were not zero-day vulnerabilities and had been patched by the MS17-010 update a month before the leak, the publication had horrendous consequences. The damage from worms, Trojans and [ransomware cryptors](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>) being distributed via the network with the help of EternalBlue and EternalRomance, as well as the number of users infected, is incalculable. In the second quarter of 2017 only Kaspersky Lab blocked more over five million attempted attacks involving network exploits from the archive. And the average number of attacks per day was constantly growing: 82% of all attacks were detected in the last 30 days.\n\nThe statistics on the IDS component using ShadowBrokers exploits over the last month.\n\n[![](https://securelist.com/files/2017/08/IDS_stats_.jpg)](<https://securelist.com/files/2017/08/IDS_stats_.jpg>)\n\nA sharp peak at the end of the month was the appearance of the [ExPetr](<https://securelist.com/schroedingers-petya/78870/>) cryptor, which used modified EternalBlue and EternalRomance exploits as one of proliferation methods.\n\n## Online threats (Web-based attacks)\n\n### Online threats in the banking sector\n\n_These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 the statistics include malicious programs for ATMs and POS terminals but does not include mobile threats._\n\nKaspersky Lab solutions blocked attempts to launch one or several malicious programs capable of stealing money via online banking on 224,000 computers in Q2 2017.\n\n[![](https://securelist.com/files/2017/08/Users_Attacked_by_Bank_Malware_EN.png)](<https://securelist.com/files/2017/08/Users_Attacked_by_Bank_Malware_EN.png>)\n\nNumber of users attacked by financial malware, April \u2013 June 2017\n\n#### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.\n\n[![](https://securelist.com/files/2017/08/Map_bank_attacks_.jpg)](<https://securelist.com/files/2017/08/Map_bank_attacks_.jpg>)\n\nGeography of banking malware attacks in Q2 2017 (percentage of attacked users)\n\nTOP 10 countries by percentage of attacked users\n\n**Country******* | **% ****of attacked users******** \n---|--- \nGermany | 2.61 \nTogo | 2.14 \nLibya | 1.77 \nPalestine | 1.53 \nLebanon | 1.44 \nVenezuela | 1.39 \nTunisia | 1.35 \nSerbia | 1.28 \nBahrain | 1.26 \nTaiwan | 1.23 \n \n_These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000). \n** Unique users whose computers have been targeted by banking Trojan and PoS/ATM malware attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nIn the second quarter of 2017, Germany (2.61%) had the highest proportion of users attacked by banking Trojans. It was followed by Togo (2.14%). Libya (1.77%) rounded off the Top 3.\n\n#### The TOP 10 banking malware families\n\nThe table below shows the TOP 10 malware families used in Q2 2017 to attack online banking users (as a percentage of users attacked):\n\n**Name******* | **% ****of attacked users****** ** \n---|--- \nTrojan-Spy.Win32.Zbot | 32.58 \nTrojan.Win32.Nymaim | 26.02 \nTrojan-Banker.Win32.Emotet | 7.05 \nTrojan.Win32.Neurevt | 6.08 \nTrojan-Spy.Win32.SpyEyes | 6.01 \nWorm.Win32.Cridex | 4.09 \nTrojan-Banker.Win32.Gozi | 2.66 \nBackdoor.Win32.Shiz | 2.19 \nTrojan.Multi.Capper | 1.9 \nTrojan.Win32.Tinba | 1.9 \n \n_* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware._\n\nIn Q2 2017, [Trojan-Spy.Win32.Zbot](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Zbot>) (32.58%) remained the most popular malware family. Its source codes have been publicly available since a leak, so cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original.\n\nSecond came [Trojan.Win32.Nymaim](<https://threats.kaspersky.com/ru/threat/Trojan.Win32.Nymaim>) (26.02%). The first modifications of malware belonging to this Trojan family were downloaders, which blocked the infected machine with the help of downloaded programs unique for each country. Later, new modifications of the Trojan.Win32.Nymaim family malware were discovered. They included a fragment of Gozi used by cybercriminals to steal user payment data in online banking systems. In Q1 2017, Gozi (2.66%) was on 7th position in the rating.\n\n### Ransomware Trojans\n\nMay of 2017 saw the break out of the unprecedented epidemic of the [Wannacry 2.0](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>) ransomware cryptor, which spread using the worm that exploited a vulnerability in several Windows versions.\n\nNo sooner had this epidemic died down than in June 2017 a massive attack involving another Trojan \u2013 [ExPetr](<https://securelist.com/schroedingers-petya/78870/>) - occurred. Wannacry 2.0 did not have obvious geographic preferences and attacked all countries indiscriminately, while ExPetr chose Ukraine its main target. Kaspersky Lab specialists have found out that [ExPetr](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>) encrypts MFT (system area of the NTFS file system) irreversibly which means an affected user's computer will not be completely restored the even if he pays the ransom.\n\nApart from the large-scale epidemics that shook the world, in Q2 2017 an interesting trend emerged: several criminal groups behind different ransomware cryptors concluded their activities and published their secret keys needed to decrypt victims' files. Below is the list of families, the keys to which became public during the reporting period: \n\n * Crysis (Trojan-Ransom.Win32.Crusis);\n * AES-NI (Trojan-Ransom.Win32.AecHu);\n * xdata (Trojan-Ransom.Win32.AecHu);\n * Petya/Mischa/GoldenEye (Trojan-Ransom.Win32.Petr).\n\n#### The number of new modifications\n\nIn Q2 of 2017, we discovered 15 new ransomware families. The number of new modifications was 15,663 which is considerably less than the number of modifications appeared in the previous quarter. Also, in the first quarter most of the new modifications turned to be the Cerberus cryptor variants, while in the second quarter this verdict faded into the background, giving way to the new cryptor \u2013 the world infamous Wannacry.\n\n[![](https://securelist.com/files/2017/08/New_Ransomware_Modifications_.png)](<https://securelist.com/files/2017/08/New_Ransomware_Modifications_.png>)\n\nThe number of new ransomware modifications, Q2 2016 - Q2 2017\n\nCurrently we observe a sharp decrease in the number of new Cerber samples. Probably, it means that the development and distribution of this malware family is coming to an end. Time will tell whether that is true or not. Along with Cerber, the total number of ransomware modifications is going down in the second quarter of 2017.\n\n#### The number of users attacked by ransomware\n\nIn Q2 2017, 246, 675 unique KSN users were attacked by cryptors which is almost as many as of the previous quarter. Despite the drop in the quantity of new modifications, the number of protected users grew.\n\n[![](https://securelist.com/files/2017/08/Users_Attacked_by_Ransomware_EN.png)](<https://securelist.com/files/2017/08/Users_Attacked_by_Ransomware_EN.png>)\n\nNumber of unique users attacked by Trojan-Ransom cryptor malware (Q2 2017)\n\n### The geography of attacks\n\n[![](https://securelist.com/files/2017/08/Map_Geography_Attacks_.jpg)](<https://securelist.com/files/2017/08/Map_Geography_Attacks_.jpg>)\n\n#### Top 10 countries attacked by cryptors\n\n| **Country******* | **% of users attacked by cryptors **** \n---|---|--- \n1 | Brazil | 1.07% \n2 | Italy | 1.06% \n3 | Japan | 0.96% \n4 | Vietnam | 0.92% \n5 | South Korea | 0.78% \n6 | China | 0.75% \n7 | Cambodia | 0.75% \n8 | Taiwan | 0.73% \n9 | Hong Kong | 0.66% \n10 | Russia | 0.65% \n \n_* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000) \n** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country._\n\n### Top 10 most widespread cryptor families\n\n| **Name** | **Verdict******* | **% ****of attacked users******** \n---|---|---|--- \n1 | Wannacry | Trojan-Ransom.Win32.Wanna | 16,90% \n2 | Locky | Trojan-Ransom.Win32.Locky | 14,91% \n3 | Cerber | Trojan-Ransom.Win32.Zerber | 13,54% \n4 | Jaff | Trojan-Ransom.Win32.Jaff | 11,00% \n5 | Cryrar/ACCDFISA | Trojan-Ransom.Win32.Cryrar | 3,54% \n6 | Spora | Trojan-Ransom.Win32.Spora | 3,08% \n7 | ExPetr | Trojan-Ransom.Win32.ExPetr | 2,90% \n8 | Shade | Trojan-Ransom.Win32.Shade | 2,44% \n9 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1,85% \n10 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 1,67% \n \n_* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data. \n** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware._\n\nIn addition to the abovementioned Wannacry and ExPetr, the Top 10 most popular cryptors included another two \"newcomers\": Jaff and Purgen. Jaff was 4th followed by Cryrar. Kaspersky Lab specialists carried out a detailed analysis of the Trojan and discovered a flaw in its implementation of cryptographic algorithms which allowed creating a utility for decrypting files.\n\nOther positions were occupied by Cerber, Locky, Spora and Shade.\n\n### Top 10 countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks._\n\nIn order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.\n\nIn Q2 2017, Kaspersky Lab solutions blocked 342, 566, 061 attacks launched from web resources located in 191 countries around the world. 33, 006, 783 unique URLs were recognized as malicious by web antivirus components.\n\n[![](https://securelist.com/files/2017/08/Webattacks_countries_EN.jpg)](<https://securelist.com/files/2017/08/Webattacks_countries_EN.jpg>)\n\nDistribution of web attack sources by country, Q2 2017\n\nIn Q2 2017, the US took the lead in the number of web attack sources. The sourced in France turned more \"popular\" that those in Russia and Germany.\n\n### Countries where users faced the greatest risk of online infection\n\nIn order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country******* | **% ****of users attacked******** \n---|---|--- \n1 | Algeria | 29.15 \n2 | Albania | 26.57 \n3 | Belarus | 25.62 \n4 | Qatar | 24.54 \n5 | Ukraine | 24.28 \n6 | India | 23.71 \n7 | Romania | 22.86 \n8 | Azerbaijan | 22.81 \n9 | Tunisia | 22.75 \n10 | Greece | 22.38 \n11 | Brazil | 22.05 \n12 | Moldova | 21.90 \n13 | Russia | 21.86 \n14 | Vietnam | 21.67 \n15 | Armenia | 21.58 \n16 | Taiwan | 20.67 \n17 | Morocco | 20.34 \n18 | Kazakhstan | 20.33 \n19 | Kyrgyzstan | 19.99 \n20 | Georgia | 19.92 \n \n_ These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users). \n**Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 17.26% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.\n\n[![](https://securelist.com/files/2017/08/Map_Infection_Internet_.jpg)](<https://securelist.com/files/2017/08/Map_Infection_Internet_.jpg>)\n\nGeography of malicious web attacks in Q2 2017 (ranked by percentage of users attacked)\n\nThe countries with the safest online surfing environments included Cuba (5%), Finland (11.32%), Singapore (11.49%), Israel (13.81%) and Japan (7.56%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q2 2017, Kaspersky Lab's file antivirus detected 185, 801, 835 unique malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\nThe Top 20 countries where users faced the highest risk of local infection remained almost unchanged from the previous quarter, however Kazakhstan and Belarus were replaced by Mozambique and Mauritania:\n\n| **Country******* | **% ****of users attacked******** \n---|---|--- \n1 | Afghanistan | 52.08 \n2 | Uzbekistan | 51.15 \n3 | Yemen | 50.86 \n4 | Tajikistan | 50.66 \n5 | Algeria | 47.19 \n6 | Ethiopia | 47.12 \n7 | Laos | 46.39 \n8 | Vietnam | 45.98 \n9 | Turkmenistan | 45.23 \n10 | Mongolia | 44.88 \n11 | Syria | 44.69 \n12 | Djibouti | 44.26 \n13 | Iraq | 43.83 \n14 | Rwanda | 43.59 \n15 | Sudan | 43.44 \n16 | Nepal | 43.39 \n17 | Somalia | 42.90 \n18 | Mozambique | 42.88 \n19 | Bangladesh | 42.38 \n20 | Mauritania | 42.05 \n \n_These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives. \n* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users). \n** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products._\n\nAn average of 20.97% of computers globally faced at least one Malware-class local threat during the second quarter. Russia's contribution to this rating accounted for 25.82%. \n[![](https://securelist.com/files/2017/08/Map_Infection_Local_.jpg)](<https://securelist.com/files/2017/08/Map_Infection_Local_.jpg>) \nThe safest countries in terms of local infection risks were: Chile (15.06%), Latvia (14.03%), Portugal (12.27%), Australia (9.46%), Great Britain (8.59%), Ireland (6.30%) and Puerto Rico (6.15%).", "reporter": "Roman Unuchek", "published": "2017-08-15T09:00:29", "type": "securelist", "title": "IT threat evolution Q2 2017. Statistics", "enchantments": {}, "bulletinFamily": "blog", "cvelist": ["CVE-2017-0199", "CVE-2017-0261", "CVE-2017-0262"], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-08-15T09:00:29", "id": "SECURELIST:0C40BC07DFF80D4B158D166D0DC2C870", "href": "https://securelist.com/it-threat-evolution-q2-2017-statistics/79432/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2017-08-15T15:11:07", "references": [], "description": "Recently I Google to report a security issues, this vulnerability would allow an attacker to confirm that a Web page visitor is logged in any Google service account, including GSuite account. \n! [](/Article/UploadPic/2017-8/2017815191446554. png? www. myhack58. com) \nAccording to my test results, the attacker can in every 25 seconds to confirm approximately 1000 e-mail accounts. But Google gives the reply is: this is a specially designed function, it is not a security vulnerability. \nYou can be in the [demo page] the self-test the power\uff08lou\uff09can\uff08dong\u3002 \nFirst of all to everyone the first a PoC demo action figure the test account is my own mailbox: the \n! [](/Article/UploadPic/2017-8/2017815191446845. gif? www. myhack58. com) \nMethodology \nI once wrote an article on the\u201cidentify whether the user is logged into a social network,\u201dthe article, and the article described the attack the way it is prior art to the variant version. However, IMHO, this article will be described the method of attack impact will be more severe. \nGoogle's login page will usually be in the URL link in the transfer of a continue parameter, this parameter will be responsible to redirect the user to them to complete the login after the original need to access the destination address. However, if you have completed the login, you will immediately be redirected to the continue parameters of the defined URL address. \nAs a result, the attacker can take advantage of this operating mechanism and through a specially crafted URL address to the logged-in user redirected to a picture file, and render a fake login page to try to deceive the user completes the login operation. If you are now in the img tag's src attribute using this URl address, you can use the JavaScript onload and onerror function to determine whether the image has been correctly loaded. \nIf the picture is successfully loaded, the instructions the user completes the login operation; if the image is loaded an error occurs, then the user is not logged in. This problem in fact Google has long been known, but this function also has certain limitations, and cannot cause a serious impact, so Google and did not bother. \nBut this problem is not Google imagine so simple, because the attacker can now also provide an additional parameter to specify an email address. This also means that if the attacker-provided e-mail address to the target user's e-mail address matches, it will trigger a redirect. \nAs a result, the attacker can pass JavaScript to the onload attribute to dynamically create and load a picture of the label of the process does not need to be the picture object is added to the Web page, and you don't even need to attach it to the page's DOM tree, and then wait for the match can be completed. In my test process, I can every 23-24 seconds of time in the detection of approximately 1000 e-mail address. If the target user is logged into your site and stay for a few minutes, you can detect several thousand e-mail address. \n! [](/Article/UploadPic/2017-8/2017815191446927. png? www. myhack58. com) \nBut now we need to fit some other method to collect the target part of the user's basic information, for example through the IP address to get to know their location, use targeted social advertising to gather information about their corporate network or some other basic information, and so on. If it goes well, you should now be able to dynamically load a list of target addresses. Next, you can get through this article described the techniques to match and record the target user's e-mail address, IP address, geographic location, device information, and a variety of other information. \nNow, you can use just the collected information to launch a Live phishing attack. \nVulnerability disclosure timeline \n2017 7 October 14: I will this issue reported to Google security team; \n2017 7 May 17: the problem has been classified, and wait for the processing result; \n2017 7 February 18: Google security team contacted me and asked me about the process the vulnerability of the recommendations; \n2017 7 February 18: my advice to them is that in the email using some random number or the salt hash and only hash and the message to match the case only allows for redirection; \n2017 7 May 19: Google confirmed the issue is classified as security vulnerabilities; \n2017 7 March 21: I released an article on the vulnerability is described in detail; and \n2017 8 April 9: Google team after the discussion, tell me this is a specially designed function, and would not be considered a security issue, so they won't take any next step operation; \nSummary \nThis attack technique does have certain limitations, because you must first get a target list of users. Although the Google security team does not believe that this is a security vulnerability, but I still thank them very much for their can I submit the information reply in a timely manner, they were very friendly. \n\n", "edition": 1, "reporter": "\u4f5a\u540d", "published": "2017-08-15T00:00:00", "title": "How to confirm Google the user's specific e-mail address-vulnerability warning-the black bar safety net", "type": "myhack58", "enchantments": {}, "bulletinFamily": "info", "cvelist": [], "modified": "2017-08-15T00:00:00", "id": "MYHACK58:62201788600", "href": "http://www.myhack58.com/Article/html/3/62/2017/88600.htm", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2017-08-14T22:09:20", "references": [], "description": "Last week, we explained how [security certificates](<https://blog.malwarebytes.com/security-world/2017/08/explained-security-certificates/>) work and how malware authors have used them to block security software from being downloaded and executed. We also showed how the [Magnitude exploit kit is spreading a Cerber ransomware](<https://blog.malwarebytes.com/threat-analysis/2017/08/cerber-ransomware-delivered-format-different-order-magnitude/>) variant that uses binary padding in an attempt to get skipped, because of its file size, during antivirus scans.\n\n### Latest updates for Businesses\n\n * Password rules have been way too complicated [says the man that invented those rules](<https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118>) and regrets it. These rules [have now been updated](<https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity>).\n * [Locky made another comeback](<https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-with-spam-campaign-pushing-diablo6-variant/>) (maybe we should call it Rocky), this time using the diablo6 extension.\n * And another ransomware that came back is the [disk-encrypting Mamba](<http://www.zdnet.com/article/destructive-disk-encrypting-mamba-ransomware-springs-back-to-life/>).\n * [Microsoft and Kaspersky](<https://www.theregister.co.uk/2017/08/10/kaspersky_drops_antitrust_complaint_against_microsoft/>) seem to get closer to burying the hatchet concerning the claim by the Russian anti-virus company that the US software giant was unfairly promoting the use of Windows Defender over third-party security products.\n * Salesforce fired two of its senior security engineers after their talk at DEF CON. Or actually told them up front that they would be fired if they went ahead with the talk. Which they did as they didn\u2019t see that text message on time.\n\n### Latest updates for Consumers\n\n * A document was leaked that [discloses CouchPotato](<http://thehackernews.com/2017/08/cia-hacking-tool-video.html>), which is how the CIA uses a remote tool to stealthy collect RTSP/H.264 video streams.\n * After the leak of some Game of Throne episodes by [HBO hackers](<http://www.bbc.com/news/technology-40922309>) earlier in the week, there was a bigger data dump this weekend, including episodes of Insecure, Ballers, Barry, The Deuce, a comedy special and other programming.\n * [Google brings phishing protection to iOS](<https://betanews.com/2017/08/11/gmail-ios-phishing/>). A few months after releasing the anti-phishing feature for Android, Google now does the same for iOS. Google : \u201cGoing forward, when you click on a suspicious link in a Gmail message on your iPhone or iPad, we'll show a warning. We recommend that you use caution before proceeding, because the link is likely unsafe. Only proceed if you're confident there's no risk.\u201d\n\n### In other security news:\n\n * [The Ukaraine announced to have arrested a man responsible for nonPetya](<http://thehackernews.com/2017/08/ukraine-petya-ransomware-hacker.html>), but if you read the announcement closely it turns out to be a bookkeeper explaining how to infect business machines on demand, so the companies with the infected machines can claim to be excused from doing their taxes before the closing date, and not the person or organization behind the original attack.\n * [Biological malware could become the next big threat.](<https://themerkle.com/scientific-research-shows-biological-malware-can-become-the-next-big-threat/>) According to recent scientific research at the University of Washington, human DNA can be used to take advantage of computer systems. Right now, DNA is not a security risk. Their test was only successful because the researchers were able to create a perfect scenario to improve their chance of success.\n * [US court system bug opened hole for hackers to scoop up legal docs for free on victims' dime](<https://www.theregister.co.uk/2017/08/09/pacer_legal_doc_site_flaw/>). A cross-site forgery vulnerability in the American court system's document archive PACER has been fixed. The bug could have been exploited to hijack accounts and retrieve civil and criminal lawsuit files on victims' dime.\n\nSafe surfing, everyone!\n\n_The Malwarebytes Labs Team_\n\nThe post [Week in Security (August 7 \u2013 August 13)](<https://blog.malwarebytes.com/security-world/week-in-security/2017/08/week-security-august-7-august-13/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "reporter": "Malwarebytes Labs", "published": "2017-08-14T19:51:26", "type": "malwarebytes", "title": "Week in Security (August 7 \u2013 August 13)", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-08-14T19:51:26", "id": "MALWAREBYTES:AF1B244F19B564CE4CC28E1878719EFB", "href": "https://blog.malwarebytes.com/security-world/week-in-security/2017/08/week-security-august-7-august-13/", "cvss": {"score": 0.0, "vector": "NONE"}}]}}